Steps for verifying manual IPSec protection

Verify manual IPSec protection.

Before you begin

Complete the steps in Steps for verifying IP security and defensive filter operation in order to identify the name of an IpFilterRule for which manual IPSec protection is to be verified.

About this task

Figure 1 shows the decisions involved for verifying manual IPSec protection.

Figure 1. Overview of verifying manual IPSec protection
Overview of verifying manual IPSec protection that shows the decisions involved for verifying manual IPSec protection.

Procedure

Perform the following steps:

  1. Verify that manual filters that correspond to the identified IpFilterRule are installed in the stack by using the ipsec -f display -n command. Two filters of type Manual (1 inbound and 1 outbound) are installed in the stack for an IpFilterRule that is configured with IpManVpnAction. If the manual filter rules are not installed in the stack, then correct the IP filter policy. An IpFilterRule might be inactive (not installed) in the stack due to an IpTimeCondition. For information about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands. See z/OS Communications Server: IP Configuration Reference for more information about the IpManVpnAction and IpTimeCondition statements.

    If IP filter rules are not installed, also verify that Policy Agent is active.

  2. Obtain the IpManVpnAction name by locating the VpnActionName field in the ipsec -f command output. This is the name of the IpManVpnAction policy configuration statement. Obtain the manual tunnel ID by locating the TunnelID field in the ipsec -f display command output. The Tunnel ID for a manual tunnel has a value of M, followed by a positive integer.
  3. Verify that the manual tunnel is active.

    Use the ipsec -m display -a command, supplying the manual tunnel ID.

    Locate the State field in the ipsec -m command output and confirm that it indicates Active. If the manual tunnel is not active, then activate the tunnel using the ipsec -m activate command. You might consider updating the IpManVpnAction policy configuration statement to specify Active yes, if it is not already specified. A setting of Active yes causes the manual tunnel state to be set to active when the manual tunnel is installed in the stack, without the additional step of issuing ipsec -m activate.

    If you are using the IBM® Configuration Assistant for z/OS® Communications Server to configure, you can choose to automatically activate manual tunnels within each Connectivity Rule.

  4. Contact the remote security endpoint's network administrator to ensure that the manual tunnel has been activated remotely. For traffic to flow through a manual tunnel, the remote security endpoint must also activate the manual tunnel.
  5. Verify that IpManVpnAction is enforced. See Steps for verifying IP security policy or defensive filter enforcement.
Parent topic: Steps for verifying IP security and defensive filter operation