Activating a Security Association
Negotiations can be initiated in one of four ways:
- Remote activation
When a remote IKE peer initiates a negotiation with the local IKE daemon, no action is required. If the IP security policy has been configured correctly and is consistent with the policy of the remote IKE peer, a Security Association is established. No operator message is issued when a remote activation has occurred, but the syslog does contain a record of all IKE activity. The ipsec -y display command can also be used to view all of the active Security Associations.
- On-demand activation
An on-demand Security Association is activated when some outbound traffic matches an ipsec rule that allows on-demand activation. The ondemand field of the filter display indicates whether or not on-demand activation is allowed for that rule.
- Automatic activation
The local IKE daemon initiates a negotiation for an autoactivated Security Association when it connects to the TCP/IP stack. IKE also initiates a negotiation for an autoactivated Security Association when the ipsec -f reload command is issued, changing the active filter rule set from default IP filter rules to Policy Agent filter rules. No operator message is issued when an autoactivation has occurred, but the syslog does contain a record of all IKE activity. The ipsec -y display command can also be used to view all of the active Security Associations.
- Command-line activation
The ipsec command can be used as follows to activate a Security Association that has been defined by a LocalDynVpnRule statement:
The output of the command indicates the status of the activation.ipsec -y activate -l ZoneC_VPN-EE1 CS V1R12 ipsec Stack Name: TCPCS Wed Feb 3 16:02:05 2010 Primary: Dynamic tunnel Function: Activate Selection Data Status ZoneC_VPN-EE1 Activating
For detailed information about the use of the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.