Verify manual IPSec protection.
About this task
Figure 1 shows the decisions
involved for verifying manual IPSec protection.
Figure 1. Overview of verifying manual
IPSec protection
Procedure
Perform the following steps:
- Verify that manual filters that correspond to the identified
IpFilterRule are installed in the stack by using the ipsec
-f display -n command. Two filters of type Manual
(1 inbound and 1 outbound) are installed in the stack for an IpFilterRule
that is configured with IpManVpnAction. If the manual filter rules
are not installed in the stack, then correct the IP filter policy.
An IpFilterRule might be inactive (not installed) in the stack due
to an IpTimeCondition. For information about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands. See z/OS Communications Server: IP Configuration Reference for more information about the IpManVpnAction
and IpTimeCondition statements.
If IP filter rules are not installed,
also verify that Policy Agent is active.
- Obtain the IpManVpnAction name by locating the VpnActionName
field in the ipsec -f command output. This is the name of the IpManVpnAction policy configuration statement.
Obtain the manual tunnel ID by locating the TunnelID field in the ipsec -f display command output. The Tunnel ID for a manual
tunnel has a value of M, followed by a positive integer.
- Verify that the manual tunnel is active.
Use the ipsec -m display -a command, supplying
the manual tunnel ID.
Locate the State field in the ipsec -m command output and confirm that it indicates Active.
If the manual tunnel is not active, then activate the tunnel using
the ipsec -m activate command. You might consider
updating the IpManVpnAction policy configuration statement to specify Active yes, if it is not already specified. A setting
of Active yes causes the manual tunnel state
to be set to active when the manual tunnel is installed in the stack,
without the additional step of issuing ipsec -m activate.
If
you are using the IBM® Configuration
Assistant for z/OS® Communications
Server to configure, you can choose to automatically activate manual
tunnels within each Connectivity Rule.
- Contact the remote security endpoint's network administrator
to ensure that the manual tunnel has been activated remotely. For traffic to flow through a manual tunnel, the remote security
endpoint must also activate the manual tunnel.
- Verify that IpManVpnAction is enforced. See Steps for verifying IP security policy or defensive filter enforcement.