Using IPSec with DVIPAs and sysplex distributor
To support IPSec with DVIPA takeover and sysplex distributor, some IKE and IPSec configuration on the primary or distributing host must be replicated onto all systems that can either serve as a backup host for a VIPA takeover or a target host for sysplex distributor. This configuration includes IP Security policy that affects traffic using distributed DVIPA (from an IKE definition perspective).
- From a stack perspective, all anchor rules that are applicable to distributed DVIPA traffic must be identical on all systems. In addition, the ordering of the rules must allow for consistent application of security policy on all systems.
- To be considered a sysplex-wide SA, the SA negotiated that applies to DVIPAs must be at a granularity no coarser than host for the local address. That is, a dynamic SA cannot use a subnet or range that encompasses a DVIPA address. This rule ensures that on a DVIPA Giveback the SA can be moved from host to host without concerns about an SA being applicable to both the backup and primary host simultaneously. If such a dynamic SA is negotiated, the IPSec traffic using it cannot be distributed or recovered through the DVIPA takeover support.
- The configured IKE identity for a sysplex-wide SA must be identical on the primary and backup hosts. This configuration allows the backup host for a VIPA takeover to retrieve data from the coupling facility and renegotiate the SA.