Structure of an IP security configuration file

The common IP security configuration file and the stack-specific IP security configuration file have exactly the same structure. They are comprised of a number of statements that define items that are used to define policy, such as policies, rules, actions, groups, and objects. Statement names and attribute names are not case sensitive, though they appear in mixed case in this information for readability. Only user-defined names are case sensitive. For the complete syntax of all IP security policy statements, see z/OS Communications Server: IP Configuration Reference.

An IP security policy configuration statement has the following generic form:

StatementType     user-defined name
{
   Attribute1     value1
   Attribute2     value2
   .
   .
   .
}

Statements often contain other inline statements in a recursive form:

StatementType1     user-defined name
{
   Attribute1      value1
   StatementType2  optional user-defined name
   {
      Attribute1   value1
      Attribute2   value2
   }
   Attribute2      value2
} 

There are three main sections in an IP security configuration file, identified by the following three statements:

• IpFilterPolicy
• KeyExchangePolicy
• LocalDynVpnPolicy

Additional statements that define rules, actions, groups, and objects are found both in the main body of the configuration file and within any of these other three policy blocks. A high-level view of an IP security configuration file follows. Although the statement blocks are shown in a specific order, the ordering is arbitrary.

IpFilterPolicy #(required)
{
  <local statements>
}

KeyExchangePolicy #(optional)
{
  <local statements>
}

LocalDynVpnPolicy #(optional)
{
  <local statements>
}

  <global statements>