IPSec dynamic tunnel activation and refresh record (subtype 75)
The IPSec dynamic tunnel activation record is collected whenever the IKE daemon successfully negotiates a dynamic tunnel and installs it in the TCP/IP stack. This record contains information about the characteristics of the dynamic tunnel that is to be negotiated. If you are using the IPSec NMI, the common IP tunnel section of this SMF record is analogous to the NMsecIPTunnel structure, the dynamic tunnel section is analogous to the NMsecIPDynTunnel structure, and the IKE dynamic tunnel section is analogous to the NMsecIPDynamicIKE structure.
See Table 1 for the contents of the TCP/IP stack identification section. For the IPSec dynamic tunnel activation record, the TCP/IP Stack identification section indicates IKE as the subcomponent and X'08' (event record) as the record reason.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119_HDR | 24 | EBCDIC | Standard SMF Header; subtype is 75(X'4B'). |
Self-defining section | ||||
24(X'18') | SMF119SD_TRN | 2 | Binary | Number of triplets in this record (6). |
26(X'1A') | 2 | Binary | Reserved | |
28(X'1C') | SMF119IDOff | 4 | Binary | Offset to TCP/IP identification section. |
32(X'20') | SMF119IDLen | 2 | Binary | Length of TCP/IP identification section. |
34(X'22') | SMF119IDNum | 2 | Binary | Number of TCP/IP identification sections. |
36(X'24') | SMF119S1Off | 4 | Binary | Offset to common IP tunnel section. |
40(X'28') | SMF119S1Len | 2 | Binary | Length of common IP tunnel section. |
42(X'2A') | SMF119S1Num | 2 | Binary | Number of common IP tunnel sections. |
44(X'2C') | SMF119S2Off | 4 | Binary | Offset to dynamic tunnel section. |
48(X'30') | SMF119S2Len | 2 | Binary | Length of dynamic tunnel section. |
50(X'32') | SMF119S2Num | 2 | Binary | Number of tunnel sections. |
52(X'34') | SMF119S3Off | 4 | Binary | Offset to IKE dynamic tunnel sections. |
56(X'38') | SMF119S3Len | 2 | Binary | Length of IKE dynamic tunnel section. |
58(X'3A') | SMF119S3Num | 2 | Binary | Number of IKE dynamic tunnel sections. |
60(X'3C') | SMF119S4Off | 4 | Binary | Offset to local client ID section. |
64(X'40') | SMF119S4Len | 2 | Binary | Length of local client ID section. |
66(X'42') | SMF119S4Num | 2 | Binary | Number of local client ID sections. |
68(X'44') | SMF119S5Off | 4 | Binary | Offset to remote client ID sections. |
72(X'48') | SMF119S5Len | 2 | Binary | Length of remote client ID section. |
74(X'5A') | SMF119S5Num | 2 | Binary | Number of remote client ID sections. |
Table 2 lists the IPSec common IP tunnel specific section.
Offset | Name | Ln. | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119IS_IPTunID | 48 | EBCDIC | Tunnel ID |
48x'30') | SMF119IS_IPTunVPNAction | 48 | EBCDIC | Tunnel VPN action name |
96(X'60') | 4 | Binary | IP tunnel flags. The following list identifies the bits, their names, and meaning.
|
|
100(X'64') | SMF119IS_IPTunType | 1 | Binary | Tunnel type. One of the following values:
|
101(X'65') | SMF119IS_IPTunState | 1 | Binary | One of the following tunnel states:
|
102(X'66') | SMF119IS_IPTunRsvd2 | 2 | Binary | Reserved |
104(X'68') | SMF119IS_IPTunLclEndpt4 | 4 | Binary | One of the following values:
|
104(X'68') | SMF119IS_IPTunLclEndpt6 | 16 | Binary | One of the following values:
|
120(X'78') | SMF119IS_IPTunRmtEndpt4 | 4 | Binary | One of the following values:
|
120(X'78') | SMF119IS_IPTunRmtEndpt6 | 16 | Binary | One of the following values:
|
136(X'88') | SMF119IS_IPTunEncapMode | 1 | Binary | One of the following tunnel encapsulation modes:
|
137(X'89') | SMF119IS_IPTunAuthProto | 1 | Binary | One of the following tunnel authentication protocols:
|
138(X'8A') | SMF119IS_IPTunAuthAlg | 1 | Binary | One of the following tunnel authentication alogorithms:
|
139(X'8B') | SMF119IS_IPTunEncryptAlg | 1 | Binary | One of the following tunnel encryption algorithms:
|
140(X'8C') | SMF119IS_IPTunInbAuthSPI | 4 | Binary | Tunnel inbound authentication SPI. |
144(X'90') | SMF119IS_IPTunOutbAuthSPI | 4 | Binary | Tunnel outbound authentication SPI. |
148(X'94') | SMF119IS_IPTunInbEncryptSPI | 4 | Binary | Tunnel inbound encryption SPI. |
152(X'98') | SMF119IS_IPTunOutbEncryptSPI | 4 | Binary | Tunnel outbound encryption SPI. |
156(X'9C') | SMF119IS_IPTunStartTime | 4 | Binary | Indicates the tunnel start time at which the tunnel was activated or refreshed, in UNIX format. |
160(X'A0') | SMF119IS_IPTunEncryptKeyLength | 4 | Binary | Encryption key length for variable-length algorithms,
in bits. Zero for encryption algorithms that have a fixed key length
(such as DES and 3DES) and nonzero for encryption algorithms that
have a variable key length (such as AES-CBC and AES-GCM). Result: Example values are 128 and 256.
|
Table 3 lists the IPSec dynamic tunnel specific section.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | 4 | Binary | The following list identifies the bits, their names, and meaning.
|
|
0(X'0') Cont. | Cont. | Cont. | One of the following values:
|
|
0(X'0') Cont | Cont. | Cont. | One of the following values:
|
|
4(X'4') | SMF119IS_IPDynVPNRule | 48 | EBCDIC | Dynamic VPN rule name for this tunnel. This field is blank if there is no local dynamic VPN rule. |
52(X'34') | SMF119IS_IPDynP1TunnelID | 48 | EBCDIC | Tunnel ID for this tunnel's parent IKE (phase 1) tunnel. As a result of refreshes, this tunnel ID might represent multiple related IKE tunnels. |
100(X'64') | SMF119IS_IPDynLifesize | 8 | Binary | Tunnel lifesize. Nonzero values indicate the lifesize value limit for the tunnel, in bytes. |
108(X'6C') | SMF119IS_IPDynLifesizeRefresh | 8 | Binary | Tunnel lifesize refresh. Nonzero values indicate the lifesize value at which the tunnel is refreshed, in bytes. |
116(X'74') | SMF119IS_IPDynLifetimeExpire | 4 | Binary | Tunnel lifetime. Indicates the time at which the tunnel expires, in UNIX format. |
120(X'78') | SMF119IS_IPDynLifetimeRefresh | 4 | Binary | Tunnel lifetime refresh. Indicates the time at which the tunnel is refreshed, in UNIX format. |
124(X'7C') | SMF119IS_IPDynVPNLifeExpire | 4 | Binary | Tunnel VPN lifetime expire. Nonzero values indicate
the time at which the tunnel family ceases to be refreshed, in UNIX format. This field retains its original value for a refreshed tunnel. |
128(X'80') | SMF119IS_IPDynActMethod | 1 | Binary | One of the following tunnel activation methods:
This field retains its original value for a refreshed tunnel. |
129(X'81') | SMF119IS_IPDynRsvd2 | 3 | Binary | Reserved bits |
132(X'84') | SMF119IS_IPDynRmtUDPPort | 2 | Binary | If the tunnel uses UDP encapsulation mode, this value is the IKE UDP port of the remote security endpoint; otherwise, the value is 0. |
134(X'86') | SMF119IS_IPDynRsvd3 | 2 | Binary | Reserved bits |
136(X'88') | SMF119IS_IPDynSrcNATOA | 4 | Binary | Source NAT original IP address. NAT original
IP addresses are exchanged only for certain UDP-encapsulated tunnels.
During NAT traversal negotiations, the IKE peer sends the source IP
address that it is aware of. If NAT traversal negotiation did not occur or if an IKEv1 peer did not send a source NAT-OA payload, the value of this field is 0. Restriction: An IKEv1
peer at a pre-RFC3947 NAT traversal support level cannot send a source
NAT-OA payload.
|
140(X'8C') | SMF119IS_IPDynDstNATOA | 4 | Binary | Destination NAT original IP address. NAT original
IP addresses are exchanged only for certain UDP-encapsulated tunnels.
During NAT traversal negotiations, the IKE peer sends the destination
IP address that it is aware of. If NAT traversal negotiation did not occur or if an IKEv1 peer did not send a source NAT-OA payload, the value of this field is 0. Restriction: An IKEv1
peer at a pre-RFC3947 NAT traversal support level cannot send a source
NAT-OA payload.
|
144(X'90') | SMF119IS_IPDynProtocol | 1 | Binary | Protocol for tunnel data. If the value is 0, the tunnel includes all protocols. |
145(X'91') | SMF119IS_IPDynRsvd4 | 3 | Binary | Reserved bits |
148(X'94') | SMF119IS_IPDynSrcPort | 2 | Binary | Low end of source port range for tunnel data or 0 if the tunnel is not limited to TCP or UDP. |
150(X'96') | SMF119IS_IPDynDstPort | 2 | Binary | Low end of destination port range for tunnel data, or 0 if the tunnel is not limited to TCP or UDP. |
152(X'98') | SMF119IS_IPDynSrcAddr4 | 4 | Binary | One of the following values:
|
152(X'98') | SMF119IS_IPDynSrcAddr6 | 16 | Binary | One of the following values:
|
168(X'A8') | SMF119IS_IPDynSrcAddrRange4 | 4 | Binary | If the SMF119IS_IPDynSrcIsRange field is set, this field is the highest address in the range of the IPv4 or IPv6 source addresses tunnel data. |
168(X'A8') | SMF119IS_IPDynSrcAddrRange6 | 16 | Binary | If the SMF119IS_IPDynSrcIsRange field is set, this field is the highest address in the range of the IPv4 or IPv6 source addresses tunnel data. |
184(X'B8') | SMF119IS_IPDynDstAddr4 | 4 | Binary | One of the following values:
|
184(X'B8') | SMF119IS_IPDynDstAddr6 | 16 | Binary | One of the following values:
|
200(X'C8') | SMF119IS_IPDynDstAddrRange4 | 4 | Binary | If the SMF119IS_IPDynDstIsRange field is set, this field is the highest IPv4 or IPv6 destination address in the range range for tunnel data. |
200(X'C8') | SMF119IS_IPDynDstAddrRange6 | 16 | Binary | If the SMF119IS_IPDynDstIsRange field is set, this field is the highest IPv4 or IPv6 destination address in the range range for tunnel data. |
216(X'D8') | SMF119IS_IPDynSrcAddrPrefix | 1 | Binary | If the SMF119IS_IPDynSrcIsPrefix field is set, this field is the length of the tunnel data source address prefix in bits. |
217(X'D9') | SMF119IS_IPDynDstAddrPrefix | 1 | Binary | If the SMF119IS_IPDynDstIsPrefix field is set, this field is the length of the tunnel data destination address prefix in bits. |
218(X'DA') | SMF119IS_IPDynMajorVer | 1 | Binary | Major version of the IKE protocol in use. Only the low-order 4 bits are used. |
219(X'DB') | SMF119IS_IPDynMinorVer | 1 | Binary | Minor version of the IKE protocol in use. Only the low-order 4 bits are used. |
220(X'DC') | SMF119IS_IPDynType | 1 | Binary | Low end of ICMP, ICMPv6, or MIPv6 type range for tunnel data; otherwise, this value is 0 if the tunnel is not limited to ICMP, ICMPv6, or MIPv6. |
221(X'DD') | SMF119IS_IPDynTypeRange | 1 | Binary | High end of ICMP, ICMPv6, or MIPv6 type range for tunnel data; otherwise this value is 0 if the tunnel is not limited to ICMP, ICMPv6, or MIPv6. A tunnel applying to all type values is indicated as a value in the range 0- 255. |
222(X'DE') | SMF119IS_IPDynCode | 1 | Binary | Low end of ICMP or ICMPv6 code range for tunnel data; otherwise this value is 0 if the tunnel is not limited to ICMP or ICMPv6. |
223(X'DF') | SMF119IS_IPDynCodeRange | 1 | Binary | High end of ICMP or ICMPv6 code range for tunnel data; otherwise, this value is 0 if the tunnel is not limited to ICMP or ICMPv6. A tunnel applying to all code values is indicated as a value in the range 0 - 255. |
224(X'E0') | SMF119IS_IPDynSrcPortRange | 2 | Binary | High end of source port range for tunnel data; otherwise this value is 0 if the tunnel is not limited to TCP or UDP. A tunnel applying to all source port values is indicated as a value in the range 0- 65 535. |
226(X'E2') | SMF119IS_IPDynDstPortRange | 2 | Binary | High end of destination port range for tunnel data, or 0 if the tunnel is not limited to TCP or UDP. A tunnel applying to all destination port values is indicated as a value in the range 0 - 65 535. |
228(X'E4') | SMF119IS_IPDynGeneration | 4 | Binary | Tunnel generation number. The first dynamic tunnel with a particular tunnel ID has generation 1. Subsequent refreshes of this dynamic tunnel have the same tunnel ID but higher generation numbers. |
Table 4 lists the IPSec IKE dynamic tunnel specific section.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119IS_IPDynIKERsvd1 | 4 | Binary | Reserved bits. |
4(X'4') | SMF119IS_IPDynIKEFilter | 48 | EBCDIC | Filter name for the IP filter related to this dynamic tunnel. |
52(X'34') | SMF119IS_IPDynIKEDHGroup | 4 | Binary | Diffie-Hellman group used for PFS for this dynamic tunnel, or 0 if phase 2 PFS is not configured. |
56(X'38') | SMF119IS_IPDynIKELclIDType | 1 | Binary | ISAKMP identity type for the local client ID,
as defined in RFC 2407. Client identities can be exchanged during
negotiation to limit or define the scope of data protected by the
tunnel. If client identities are not exchanged, then the scope of
data protection is defined to include the peers' tunnel endpoint addresses.
If client identities were not exchanged during negotiation, this field is 0. |
57(X'39') | SMF119IS_IPDynIKERmtIDType | 1 | Binary | ISAKMP identity type for the remote client ID,
as defined in RFC 2407. Client identities might be exchanged during
negotiation to limit or define the scope of data protected by the
tunnel. If client identities are not exchanged, then the scope of
data protection is defined to include the peers' tunnel endpoint addresses.
If client identities were not exchanged during negotiation, this field is 0. |
58(X'3A') | SMF119IS_IPDynIKEExtState | 2 | Binary | One of the following extended tunnel state information
types:
|
Table 5 lists the IPSec local client ID specific section.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119IS_LocalClientID | n | EBCDIC | The local client ID for this tunnel's phase 2 negotiation. Regardless of the identity's type, the ID is expressed as an EBCDIC string (an IP address is returned in printable form). |
Table 6 lists the IPSec remote client ID specific section.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119IS_RemoteClientID | n | EBCDIC | The remote client ID for this tunnel's phase 2 negotiation. Regardless of the identity's type, the ID is expressed as an EBCDIC string (an IP address is returned in printable form). |