Using IKEv2 tunnels

Support for the IKEv2 protocol was introduced in z/OS® V1R12 Communications Server. Target stacks on a V1R12 system are able to support the capabilities of the IKEv2 protocol. Security Associations (SAs) that are negotiated using the IKEv2 protocol cannot be distributed to targets that are at a release level prior to V1R12. Connection requests that flow over those SAs will not be distributed to a target stack that is V1R11 or earlier. If you want the workload to be distributed across all the targets in the sysplex, all target stacks must be at release V1R12 or later.

During takeover of the SA, the IKE daemon on the backup system negotiates a new SA. The backup system must be at release V1R13 or later to negotiate the new SA using the IKEv2 protocol. If the backup stack is on a system that is V1R12 or earlier, the IKE daemon attempts to negotiate a new SA using the IKEv1 protocol.

Restrictions:
  • Although a V1R12 backup system can recover a tunnel that was negotiated using IKEv2, any SA that is recovered will be converted to IKEv1 for the life of the SA.
  • If you specify the HowToInitiate parameter with the value IKEv2 on a V1R12 backup stack, the IKE daemon on the backup system will fail to take over the SA. To prevent a failure, configure the HowToInitiate parameter with the value Main or Aggressive on the KeyExchangeAction statement or the KeyExchangePolicy statement.
Parent topic: Sysplex-Wide Security Associations in a mixed-level environment