KeyExchangeAction statement

Use the KeyExchangeAction statement to define a key exchange action for a dynamic VPN. A key exchange indicates how key exchanges between the security endpoints should be protected. A KeyExchangeAction statement can be referenced by a KeyExchangeRule statement.

Syntax


>>-KeyExchangeAction--name--| Put Braces and Parameters on Separate Lines |-><

Put Braces and Parameters on Separate Lines

|--+-{--------------------------------+-------------------------|
   +-| KeyExchangeAction Parameters |-+   
   '-}--------------------------------'   

KeyExchangeAction Parameters

|--+-------------------------------+---------------------------->
   '-HowToInitiate--+-Main-------+-'   
                    +-Aggressive-+     
                    +-IKEv2------+     
                    '-DoNot------'     

   .-HowToRespond Either----------.                          
>--+------------------------------+--+-------------------+------>
   '-HowToRespond--+-Main-------+-'  '-AllowNat--+-Yes-+-'   
                   +-Aggressive-+                '-No--'     
                   '-Either-----'                            

   .-HowToRespondIKEv1 Either----------.   
>--+-----------------------------------+------------------------>
   '-HowToRespondIKEv1--+-Main-------+-'   
                        +-Aggressive-+     
                        '-Either-----'     

                .-DigitalSignature-.   
>--HowToAuthMe--+------------------+---------------------------->
                +-PresharedKey-----+   
                +-RsaSignature-----+   
                +-ECDSA-256--------+   
                +-ECDSA-384--------+   
                +-ECDSA-521--------+   
                '-DigitalSignature-'   

   .------------------------------.                         
   V                              |  .-ReauthInterval 0-.   
>----+-KeyExchangeOffer---------+-+--+------------------+------->
     '-KeyExchangeOfferRef name-'    '-ReauthInterval n-'   

   .-FilterByIdentity No-------.   
>--+---------------------------+-------------------------------->
   '-FilterByIdentity--+-No--+-'   
                       '-Yes-'     

>--+---------------------------------------------+-------------->
   +-ConstrainSource--+-ipaddress--------------+-+   
   |                  +-ipaddress/prefixLength-+ |   
   |                  +-ipaddress-ipaddress----+ |   
   |                  +-All--------------------+ |   
   |                  +-All4-------------------+ |   
   |                  '-All6-------------------' |   
   +-ConstrainSourceRef name---------------------+   
   +-ConstrainSourceSetRef name------------------+   
   '-ConstrainSourceGroupRef name----------------'   

>--+-------------------------------------------+---------------->
   +-ConstrainDest--+-ipaddress--------------+-+   
   |                +-ipaddress/prefixLength-+ |   
   |                +-ipaddress-ipaddress----+ |   
   |                +-All--------------------+ |   
   |                +-All4-------------------+ |   
   |                '-All6-------------------' |   
   +-ConstrainDestRefname----------------------+   
   +-ConstrainDestSetRefname-------------------+   
   '-ConstrainDestGroupRefname-----------------'   

>--+-----------------------------+------------------------------>
   '-BypassIpValidation--+-Yes-+-'   
                         '-No--'     

>--+----------------------------------------------+------------->
   '-CertificateURLLookupPreference--+-Allow----+-'   
                                     +-Tolerate-+     
                                     '-Disallow-'     

>--+--------------------------------+---------------------------|
   '-RevocationChecking--+-None---+-'   
                         +-Loose--+     
                         '-Strict-'

Parameters

name

A string 1 - 32 characters in length specifying the name of this KeyExchangeAction statement. The name cannot start with a dash (-) or contain any commas (,).

HowToInitiate

The negotiation mode to use as the phase 1 initiator. If this parameter is not specified, the IKE daemon will use the value from the HowToInitiate parameter in the KeyExchangePolicy.

Main: Indicates that IKE version 1 with identity protection is used when key negotiations are initiated by this system.
Aggressive: Indicates that IKE version 1 without identity protection is used when key negotiations are initiated by this system.
IKEv2: Indicates that IKE version 2 is used when key negotiations are initiated by this system.
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
DoNot: Indicates that the local system cannot initiate a key exchange negotiation.

HowToRespond

Deprecated and treated as a synonym for HowToRespondIKEv1.

HowToRespondIKEv1

The negotiation mode to assume as the IKE version 1 phase 1 responder. The default is Either.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

Main: Requires remote systems to initiate key negotiations using IKE version 1 with identity protection.
Aggressive: Requires remote systems to initiate key negotiations using IKE version 1 without identity protection.
Either: Allows remote systems to initiate key exchange negotiations using IKE version 1 with or without identity protection.

Tip: The z/OS® IKE daemon is always capable of responding with the IKE version 2 protocol. The HowToRespondIKEv1 parameter determines which IKE version 1 modes are allowed when z/OS is the responder.

HowToAuthMe

Specifies the method that remote security endpoints are to use to authenticate this security endpoint during IKE version 2 IKE_SA negotiation. If not specified, this value defaults to DigitalSignature.

PresharedKey: Indicates that the remote security endpoint is expected to authenticate this security endpoint with a pre-shared key.
RsaSignature: Indicates that the remote security endpoint is expected to authenticate this security endpoint with RSA signatures.
ECDSA-256: Indicates that the remote security endpoint is expected to authenticate this security endpoint using ECDSA with SHA-256 on the P-256 curve.
ECDSA-384: Indicates that the remote security endpoint is expected to authenticate this security endpoint using ECDSA with SHA-384 on the P-384 curve.
ECDSA-521: Indicates that the remote security endpoint is expected to authenticate this security endpoint using ECDSA with SHA-512 on the P-521 curve.
DigitalSignature: Indicates that the local security endpoint may use either RsaSignature, ECDSA-256, ECDSA-384 or ECDSA-521 when creating the digital signature for the remote security endpoint to verify. This is the default.

Restrictions:

The HowToAuthMe keyword is ignored when IKE version 1 IKE SAs are negotiated because IKE version 1 requires that both security endpoints use the same authentication method.
If PresharedKey is specified, the KeyExchangeRule that references the KeyExchangeAction must specify the SharedKey parameter.
This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details.

AllowNat

Indicates whether the use of NAT traversal techniques is allowed when negotiating a phase 1 SA and subsequent phase 2 SAs that are using that phase 1 SA. The value Yes indicates that negotiations that use NAT traversal techniques are allowed. The value No indicates that negotiations that use NAT traversal techniques are not allowed. If the AllowNat parameter is specified, it overrides the AllowNat setting from the KeyExchangePolicy statement. If the AllowNat parameter is not specified, the AllowNat setting from the KeyExchangePolicy statement is used as the default.

Tip: Setting AllowNat to No prevents the IKE daemon from sending NAT payloads or processing received NAT payloads as part of the tunnel negotiation. In some cases, tunnels traversing one or more NATs can still be activated even when AllowNat is set to No. However, such tunnels are normally unusable because of the known incompatibilities between IPsec and NAT documented in RFC 3715.

KeyExchangeOffer

An inline specification of a KeyExchangeOffer statement.

Restriction: A KeyExchangeAction statement is limited to a maximum of 48 KeyExchangeOffer or KeyExchangeOfferRef statements.

KeyExchangeOfferRef

The name of a globally defined KeyExchangeOffer statement.

Restriction: A KeyExchangeAction statement is limited to a maximum of 48 KeyExchangeOffer or KeyExchangeOfferRef statements.

Rule: When you specify multiple KeyExchangeOffer parameters, configure the HowToInitiate parameter with the value Main to send multiple key exchange offers when a negotiation is initiated.

Result: When you specify multiple KeyExchangeOffer parameters, if the KeyExchangeAction parameter is configured with the value HowToInitiate Aggressive and contains multiple KeyExchangeOffer statements, the parameters of the first KeyExchangeOffer statement are used for initiating an Aggressive mode negotiation.

ReauthInterval

Specifies how often, in minutes, IKE version 2 peers reauthenticate themselves. Valid values are in the range 0-9999. The value 0 indicates that the endpoints should never reauthenticate. The default value is 0 (do not perform automatic reauthentication). Reauthentication renegotiates the keys for the IKE and reauthenticates the security endpoints. When IKE version 2 peers reauthenticate, the IKE SA and all associated child SAs must be terminated and renegotiated.

Restriction: The ReauthInterval keyword is ignored when IKE version 1 is being used between IKE peers.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details.

Tip: When the remote IKE version 2 peer initiates a reauthentication at the same time as the local IKE version 2 peer, it is called a simultaneous reauthentication. Simultaneous reauthentication often results in redundant SAs. To reduce the probability of a simultaneous reauthentication, IKED shifts the timing of reauthentication by a small, random length of time. To further reduce the probability of a simultaneous reauthentication, use a higher ReauthInterval value or configure only one peer to initiate reauthentication.

FilterByIdentity

Indicates whether the peer's IKE identity is used for IP filtering purposes. IpFilterRule objects support the specification of a RemoteIdentity parameter. When this value is Yes, all IP tunnels negotiated with this peer use the RemoteIdentity parameter in addition to the traffic specification to locate the appropriate dynamic anchor IpFilterRule. When this value is No, all IP tunnels negotiated with this peer do not use the RemoteIdentity parameter to locate the appropriate dynamic anchor.

Restrictions:

Because the RemoteIdentity parameter is supported only in combination with remote activation, FilterByIdentity Yes can be used only in combination with HowToInitiate DoNot.
The peer is restricted to negotiating data protection only for its security endpoint address. RemoteIdentity support is intended for mobile users, who are not permitted to function as a security gateway.
This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

Guideline: When creating an IpFilterRule using a RemoteIdentity value, specify FilterByIdentity Yes on the KeyExchangeAction statement for the corresponding KeyExchangeRule statement. When creating an IPSec IpFilterRule without a RemoteIdentity value, specify FilterByIdentity No on the KeyExchangeAction statement for the corresponding KeyExchangeRule statement.

ConstrainSource

Indicates a source IP address constraint specification. Dynamic tunnel negotiations that take place under this KeyExchangeAction statement are constrained to include source data addresses that are in the range of this specification.

ipaddress: A single IP address constraining the source data address for all dynamic tunnel negotiations under this KeyExchangeAction statement.
ipaddress/prefixLength: A prefix address specification indicating the applicable source data addresses that can be included in dynamic tunnel negotiations under this KeyExchangeAction statement. The prefixLength value is the number of unmasked leading bits in the ipaddress value. The prefixLength value can be in the range 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. A dynamic tunnel negotiation matches this condition if its source data address specification is entirely contained in the range defined by the unmasked bits for this prefix specification.
ipaddress-ipaddress: The range of IP addresses that are applicable source data addresses that can be included in dynamic tunnel negotiations under this KeyExchangeAction statement.
All: Indicates that dynamic tunnel negotiations under this KeyExchangeAction statement can include any IPv4 source data address specification. All and All4 are interchangeable values.
All4: Indicates that dynamic tunnel negotiations under this KeyExchangeAction statement can include any IPv4 source data address specification.
All6: Indicates that dynamic tunnel negotiations under this KeyExchangeAction statement can include any IPv6 source data address specification.

Restriction: This parameter, and the ConstrainSourceRef, ConstrainSourceSetRef, and ConstrainSourceGroupRef parameters are valid only for V1R10 and later releases. SeeGeneral syntax rules for Policy Agent for details.

ConstrainSourceRef

The name of a globally defined IpAddr statement that you should use to specify the source data address constraint.

ConstrainSourceSetRef

The name of a globally defined IpAddrSet statement that you should use to specify the source data address prefix or range constraint.

ConstrainSourceGroupRef

The name of a globally defined IpAddrGroup statement that you can use to specify the source data address constraint.

ConstrainDest

Indicates a destination IP address constraint specification. Dynamic tunnel negotiations that take place under this KeyExchangeAction statement are constrained to include only destination data addresses that are in the range of this specification.

ipaddress: A single IP address that constrains the destination data address for all dynamic tunnel negotiations under this KeyExchangeAction statement.
ipaddress/prefixLength: A prefix address specification indicating the applicable destination data addresses that can be included in dynamic tunnel negotiations under this KeyExchangeAction statement. The prefixLength value is the number of unmasked leading bits in the ipaddress value. The prefixLength value can be in the range 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. A dynamic tunnel negotiation matches this condition if its destination data address specification is entirely contained within the range defined by the unmasked bits for this prefix specification.
ipaddress-ipaddress: The range of IP addresses that are applicable destination data addresses that can be included in dynamic tunnel negotiations under this KeyExchangeAction statement.
All: Indicates that dynamic tunnel negotiations under this KeyExchangeAction statement can include any IPv4 destination data address specification. All and All4 are interchangeable values.
All4: Indicates that dynamic tunnel negotiations under this KeyExchangeAction statement can include any IPv4 destination data address specification.
All6: Indicates that dynamic tunnel negotiations under this KeyExchangeAction statement can include any IPv6 destination data address specification.

Restriction: This parameter, and the ConstrainDestRef, ConstrainDestSetRef, and ConstrainDestGroupRef parameters are valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

ConstrainDestRef name

The name of a globally defined IpAddr statement to be used for the destination data address constraint.

ConstrainDestSetRef name

The name of a globally defined IpAddrSet statement to be used for the destination data address prefix or range constraint.

ConstrainDestGroupRef name

The name of a globally defined IpAddrGroup statement to be used for the destination data address constraint.

BypassIpValidation

Indicates whether a check should be made to verify that the remote peer's identity matches the peer's remote IP address. A value of Yes indicates the check should be bypassed. A value of No indicates the check should be enforced. If this parameter is not specified, the BypassIpValidation setting from the KeyExchangePolicy statement is used as the default.

Restriction: The BypassIpValidation keyword is ignored when identity of the peer is not an IPv4 or IPv6 address.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

Tip: If the remote security endpoint is expected to be behind a NAT, specify a value of Yes.

CertificateURLLookupPreference

Indicates the hash and URL encoding preference of certificate payloads. If this parameter is not specified, the CertificateURLLookupPreference setting from the KeyExchangePolicy statement is used as the default.

Allow: IKED provides the remote security endpoint with an indication that it prefers to receive certificate payloads encoded in a hash and URL format. IKED processes certificate payloads encoded using a hash and URL format when they are received. IKED attempts to send certificate payloads using a hash and URL format encoding when the remote security endpoint indicates a preference to receive certificate payloads encoded in a hash and URL format.
Tolerate: IKED does not provide the remote security endpoint with an indication that it prefers to receive certificate payloads encoded in a hash and URL format. IKED processes certificate payloads encoded using a hash and URL format when they are received. IKED attempts to send certificate payloads using a hash and URL format encoding when the remote security endpoint indicates a preference to receive certificate payloads encoded in a hash and URL format.
Disallow: IKED does not provide the remote security endpoint with an indication that it prefers to receive certificate payloads encoded in a hash and URL format. IKED ignores certificate payloads encoded using a hash and URL format when they are received. IKED does not send certificate payloads using a hash and URL format.

Restriction: This keyword is ignored when IKE version 1 IKE SAs are negotiated since IKE version 1 does not support hash and URL encoding of certificate data.

Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

RevocationChecking

Indicates the level of revocation checking to be performed on a remote security endpoint's certificate and its corresponding certificate authority certificates.

None: No revocation checking is performed.
Loose: Revocation information is checked if available.
Strict: Revocation information must be available for all certificates and is checked for all certificates

If this parameter is not specified, the RevocationChecking setting from the KeyExchangePolicy statement is used as the default. .

Rules:

Revocation checking is only applicable to digital signature authentication methods.
When the mode is Loose and revocation information for a certificate is unavailable, then that certificate is considered valid.
When the mode is Strict and revocation information for a certificate is unavailable, then that certificate is considered invalid.
When the mode is Strict or Loose and a source of revocation information checked indicates that a certificate is revoked then the certificate is considered invalid.
If a CRL can be obtained using the CRLDistributionPoints extension and a certificate bundle file, the CRL obtained from the CRLDistributionPoints extension is used and the CRL in the certificate bundle or certificate payload is ignored.
When IKED is configured to use the native IKE daemon certificate service the RevocationChecking parameter is ignored.

Rule: Certificate revocation lists (CRL) received in a certificate payload are ignored.

Restrictions:

This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details.
Certificate revocation lists (CRL) are the only source of revocation information consulted. The CRL must be identified in the CRLDistributionPoints extension of the certificate being checked or contained in a certificate bundle file identified by the remote security endpoint.
When the CRLDistributionPoints extension is used to retrieve a CRL at least one distribution point must contain an HTTP URL.
IKED will only consult a CRL that contain entries for all revocation reasons.
The native IKE daemon certificate service does not consult certificate revocation information when authenticating a digital signature. If certificate revocation information is consulted then IKED must be configured as a network security client.