IPSec IKE tunnel activation and refresh record (subtype 73)
The IPSec IKE tunnel activation and refresh record is collected whenever the IKE daemon successfully negotiates an IKE tunnel. This record contains information about the characteristics of the IKE tunnel. If you are using the IPSec Network Management Interface (NMI), the common IKE tunnel section of this SMF record is analogous to the NMsecIKETunnel structure.
See Table 1 for the contents of the TCP/IP stack identification section. In the interface IKE tunnel activation and refresh record, the TCP/IP stack identification section specifies IKE as the subcomponent and X'08' (event record) as the record reason.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119_HDR | 24 | Standard SMF Header; subtype is 73(X'49') | |
Self-defining section | ||||
24(X'18') | SMF119SD_TRN | 2 | Binary | Number of triplets in this record (4) |
26(X'1A') | 2 | Binary | Reserved | |
28(X'1C') | SMF119IDOff | 4 | Binary | Offset to TCP/IP identification section |
32(X'20') | SMF119IDLen | 2 | Binary | Length of TCP/IP identification section |
34(X'22') | SMF119IDNum | 2 | Binary | Number of TCP/IP identification sections |
36(X'24') | SMF119S1Off | 4 | Binary | Offset to common IKE tunnel section |
40(X'28') | SMF119S1Len | 2 | Binary | Length of common IKE tunnel section |
42(X'2A') | SMF119S1Num | 2 | Binary | Number of common IKE tunnel sections |
44 (X'2C') | SMF119S2Off | 4 | Binary | Offset to local ID section |
48 (X'30') | SMF119S2Len | 2 | Binary | Length of local ID section |
50 (X'32') | SMF119S2Num | 2 | Binary | Number of local ID sections |
52(X'34') | SMF119S3Off | 4 | Binary | Offset to remote ID section |
56(X'38') | SMF119S3Len | 2 | Binary | Length of remote ID section |
58(X'3A') | SMF119S3Num | 2 | Binary | Number of remote ID sections |
Table 2 shows the IPSec common IKE tunnel specific section.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0 (X'0') | 4 | Binary | Common IKE tunnel flags The following list identifies the bits, their names, and meaning.
|
|
4(X'4') | SMF119IS_IKETunID | 48 | EBCDIC | Tunnel ID for this IKE tunnel. |
52(X'34') | SMF119IS_IKETunKeyExchRule | 48 | EBCDIC | Key exchange rule name for this IKE tunnel. |
100(X'64') | SMF119IS_IKETunKeyExchAction | 48 | EBCDIC | Key exchange action name for this IKE tunnel. |
148(X'94') | SMF119IS_IKETunLclEndpt4 | 4 | Binary | One of the following values:
|
148(X'94') | SMF119IS_IKETunLclEndpt6 | 16 | Binary | One of the following values:
|
164(X'A4') | SMF119IS_IKETunRmtEndpt4 | 4 | Binary | One of the following values:
|
164(X'A4') | SMF119IS_IKETunRmtEndpt6 | 16 | Binary | One of the following values:
|
180(X'B4') | SMF119IS_IKETunICookie | 8 | Binary | The icookie for this IKE tunnel |
188(X'BC') | SMF119IS_IKETunRCookie | 8 | Binary | The rcookie for this IKE tunnel |
196(X'C4') | SMF119IS_IKETunExchangeMode | 1 | Binary | Tunnel exchange mode. For IKEv1 SAs, possible
values are:
For IKEv2 SAs, this field is not applicable and is 0. |
197(X'C5') | SMF119IS_IKETunState | 1 | Binary | Tunnel state. Possible values are:
|
198(X'C6') | SMF119IS_IKETunAuthAlg | 1 | Binary | Tunnel authentication algorithm. Possible values
are:
|
199(X'C7') | SMF119IS_IKETunEncryptAlg | 1 | Binary | Tunnel encryption algorithm. Possible values
are:
|
200(X'C8') | SMF119IS_IKETunDHGroup | 4 | Binary | Diffie-Hellman group used to generate keying material for this IKE tunnel. |
204('xCC') | SMF119IS_IKETunPeerAuthMethod | 1 | Binary | Tunnel peer authentication method. Possible
values are:
|
205(X'CD') | SMF119IS_IKETunRole | 1 | Binary | Tunnel role. Possible values are:
|
206(X'CE') | SMF119IS_IKETunNATTLevel | 1 | Binary | NAT traversal support level. Possible values
are:
|
207(X'CF') | SMF119IS_IKETunExtState | 1 | Binary | Extended tunnel state information. Possible
values are:
The following values are valid only for record subtype 74:
|
208(X'D0') | SMF119IS_IKETunLifesize | 8 | Binary | Tunnel lifesize. If this value is not 0, this value indicates the lifesize limit for the tunnel, in bytes. |
216(X'D8') | SMF119IS_IKETunLifetime | 4 | Binary | Tunnel lifetime. This value indicates the total number of seconds the tunnel remains active. |
220(X'DC') | SMF119IS_IKETunLifetimeRefresh | 4 | Binary | Tunnel lifetime refresh. This value indicates the time at which the tunnel is refreshed (in UNIX format). |
224(X'E0') | SMF119IS_IKETunLifetimeExpire | 4 | Binary | Tunnel lifetime expiration. This value indicates the time at which the tunnel expires (in UNIX format). |
228(X'E4') | SMF119IS_IKETunRmtUDPPort | 2 | Binary | Remote UDP port used for IKE negotiations. |
230(X'E6') | SMF119IS_IKETunLIDType | 1 | Binary | ISAKMP identity type for the local security
endpoint identity, as defined in RFC 2407. ISAKMP peers exchange and verify identities as part of the IKE tunnel (phase 1) negotiation. |
231(X'E7') | SMF119IS_IKETunRIDType | 1 | Binary | ISAKMP identity type for the remote security
endpoint identity, as defined in RFC 2407. ISAKMP peers exchange and verify identities as part of the IKE tunnel (phase 1) negotiation. |
232(X'E8') | SMF119IS_IKETunStartTime | 4 | Binary | Tunnel start time. Indicates the time at which the tunnel was activated or refreshed (in UNIX format). |
236(X'EC') | SMF119IS_IKETunMajorVer | 1 | Binary | Major version of the IKE protocol in use. Only the low-order 4 bits are used. |
237(X'ED') | SMF119IS_IKETunMinorVer | 1 | Binary | Minor version of the IKE protocol in use. Only the low-order 4 bits are used. |
238(X'EE') | SMF119IS_IKETunPseudoRandomFunc | 1 | Binary | Pseudo-random function used for seeding keying
material. One of the following values:
|
239(X'EF') | SMF119IS_IKETunLocalAuthMethod | 1 | Binary | The authentication method for the local endpoint.
One of the following values:
|
240(X'F0') | SMF119IS_IKETunReauthInterval | 4 | Binary | Reauthentication interval. Indicates the number of seconds between reauthentication operations. |
244(X'F4') | SMF119IS_IKETunReauthTime | 4 | Binary | Tunnel reauthentication time. Indicates the time at which the tunnel is reauthenticated (in UNIX format). |
248(X'F8') | SMF119IS_IKETunGeneration | 4 | Binary | Tunnel generation number. The first IKE tunnel with a particular tunnel ID has generation 1. Subsequent refreshes of this IKE tunnel have the same tunnel ID, but with higher generation numbers. |
252(X'FC') | SMF119IS_IKETunEncryptKeyLength | 4 | Binary | Encryption key length for variable-length algorithms,
in bits. This value is 0 for encryption algorithms that have a fixed
key length (such as DES and 3DES) and nonzero for encryption algorithms
that have a variable key length (such as AES-CBC). Result: Example values are 128 and 256.
|
Table 3 shows the IPSec local ID specific section.
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119IS_LocalID | n | EBCDIC | Contents of the local identity used to negotiate the IKE tunnel. Regardless of the identity type, the value is expressed as an EBCDIC string (an IP address is returned in printable form). |
Table 4 shows the IPSec remote ID specific section:
Offset | Name | Length | Format | Description |
---|---|---|---|---|
0(X'0') | SMF119IS_RemoteID | n | EBCDIC | Contents of the remote identity used to negotiate the IKE tunnel. Regardless of the identity type, the value is expressed as an EBCDIC string (an IP address is returned in printable form). |