IPSec IKE tunnel activation and refresh record (subtype 73)

The IPSec IKE tunnel activation and refresh record is collected whenever the IKE daemon successfully negotiates an IKE tunnel. This record contains information about the characteristics of the IKE tunnel. If you are using the IPSec Network Management Interface (NMI), the common IKE tunnel section of this SMF record is analogous to the NMsecIKETunnel structure.

Table 1 shows the IPSec IKE tunnel activation/refresh record self-defining section.

See Table 1 for the contents of the TCP/IP stack identification section. In the interface IKE tunnel activation and refresh record, the TCP/IP stack identification section specifies IKE as the subcomponent and X'08' (event record) as the record reason.

Table 1. IPSec IKE tunnel activation/refresh record self-defining section
Offset Name Length Format Description
0(X'0') SMF119_HDR 24   Standard SMF Header; subtype is 73(X'49')
Self-defining section
24(X'18') SMF119SD_TRN 2 Binary Number of triplets in this record (4)
26(X'1A')   2 Binary Reserved
28(X'1C') SMF119IDOff 4 Binary Offset to TCP/IP identification section
32(X'20') SMF119IDLen 2 Binary Length of TCP/IP identification section
34(X'22') SMF119IDNum 2 Binary Number of TCP/IP identification sections
36(X'24') SMF119S1Off 4 Binary Offset to common IKE tunnel section
40(X'28') SMF119S1Len 2 Binary Length of common IKE tunnel section
42(X'2A') SMF119S1Num 2 Binary Number of common IKE tunnel sections
44 (X'2C') SMF119S2Off 4 Binary Offset to local ID section
48 (X'30') SMF119S2Len 2 Binary Length of local ID section
50 (X'32') SMF119S2Num 2 Binary Number of local ID sections
52(X'34') SMF119S3Off 4 Binary Offset to remote ID section
56(X'38') SMF119S3Len 2 Binary Length of remote ID section
58(X'3A') SMF119S3Num 2 Binary Number of remote ID sections

Table 2 shows the IPSec common IKE tunnel specific section.

Table 2. IPSec common IKE tunnel specific section
Offset Name Length Format Description
0 (X'0')   4 Binary Common IKE tunnel flags

The following list identifies the bits, their names, and meaning.

  • X'80000000', SMF119IS_IKETunIPv6: The IPv6 indicator. If this bit is set, all IKE tunnel security endpoints are IPv6 addresses. If this bit is not set, the endpoints are IPv4 addresses.
  • X'40000000', SMF119IS_IKETunNATAllowed: NAT traversal indicator. The NAT traversal function is enabled for this IKE tunnel.
  • X'20000000', SMF119IS_IKETunLclNAT: Local NAT indicator. A NAT has been detected in front of the local security endpoint.
  • X'10000000', SMF119IS_IKETunRmtNAT: Remote NAT indicator. A NAT has been detected in front of the remote security endpoint.
  • X'08000000', SMF119IS_IKETunRmtNAPT: Remote NAPT indicator. An NAPT has been detected in front of the remote security endpoint.
    Result: Some NAPTs might be undetected. In that case, the SMF119IS_IKETunRmtNAT bit is set, but this bit is not set.
  • X'04000000', SMF119IS_IKETunCanInitP1: IKE tunnel (P1) initiation indicator. The local security endpoint can initiate IKE tunnel negotiations with the remote security endpoint. If this bit is not set, the remote security endpoint must initiate IKE tunnel negotiations. Either side can initiate refreshes.
  • X'02000000', SMF119IS_IKETunFIPS140: FIPS 140 mode indicator. If this field is set, cryptographic operations for this IKE tunnel are performed using cryptographic algorithms and modules that are designed to meet the FIPS 140 requirements; otherwise, cryptographic algorithms and modules that do not meet the FIPS 140 requirements might be used.
  • Remaining bits: Reserved
4(X'4') SMF119IS_IKETunID 48 EBCDIC Tunnel ID for this IKE tunnel.
52(X'34') SMF119IS_IKETunKeyExchRule 48 EBCDIC Key exchange rule name for this IKE tunnel.
100(X'64') SMF119IS_IKETunKeyExchAction 48 EBCDIC Key exchange action name for this IKE tunnel.
148(X'94') SMF119IS_IKETunLclEndpt4 4 Binary One of the following values:
  • If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6 local security endpoint for this IKE tunnel.
  • If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4 local security endpoint for this IKE tunnel.
148(X'94') SMF119IS_IKETunLclEndpt6 16 Binary One of the following values:
  • If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6 local security endpoint for this IKE tunnel.
  • If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4 local security endpoint for this IKE tunnel.
164(X'A4') SMF119IS_IKETunRmtEndpt4 4 Binary One of the following values:
  • If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6 remote security endpoint for this IKE tunnel.
  • If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4 remote security endpoint for this IKE tunnel.
164(X'A4') SMF119IS_IKETunRmtEndpt6 16 Binary One of the following values:
  • If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6 remote security endpoint for this IKE tunnel.
  • If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4 remote security endpoint for this IKE tunnel.
180(X'B4') SMF119IS_IKETunICookie 8 Binary The icookie for this IKE tunnel
188(X'BC') SMF119IS_IKETunRCookie 8 Binary The rcookie for this IKE tunnel
196(X'C4') SMF119IS_IKETunExchangeMode 1 Binary Tunnel exchange mode. For IKEv1 SAs, possible values are:
  • SMF119IS_IKETUN_EXCHMAIN (2)
  • SMF119IS_IKETUN_EXCHAGGRESSIVE (4)

For IKEv2 SAs, this field is not applicable and is 0.
197(X'C5') SMF119IS_IKETunState 1 Binary Tunnel state. Possible values are:
  • SMF119IS_SASTATE_DEACT(1): Dynamic tunnel is deactivated. This value is valid only for record subtype 74.
  • SMF119IS_SASTATE_ACTIVE (2): Tunnel is active. This value is valid only for record subtype 73.
  • SMF119IS_SASTATE_EXPIRED (3): Dynamic tunnel is expired. This value is valid only for record subtype 74.
198(X'C6') SMF119IS_IKETunAuthAlg 1 Binary Tunnel authentication algorithm. Possible values are:
  • SMF119IS_AUTH_HMAC_MD5 (38)

    The tunnel uses HMAC-MD5 authentication with the full 128-bit Integrity Check Value (ICV). This value is applicable only to IKEv1 tunnels.

  • SMF119IS_AUTH_HMAC_SHA1 (39)

    The tunnel uses HMAC-SHA1 authentication with the full 160-bit ICV. This value is applicable only to IKEv1 tunnels.

  • SMF119IS_AUTH_HMAC_MD5_96 (40)

    The tunnel uses HMAC-MD5 authentication with ICV truncation to 96 bits. This value is applicable only to IKEv2 tunnels.

  • SMF119IS_AUTH_HMAC_SHA1_96 (41)

    The tunnel uses HMAC-SHA1 authentication with ICV truncation to 96 bits. This value is applicable only to IKEv2 tunnels.

  • SMF119IS_AUTH_HMAC_SHA2_256_128 (7)

    The tunnel uses HMAC-SHA2-256 authentication with ICV truncation to 128 bits.

  • SMF119IS_AUTH_HMAC_SHA2_384_192 (13)

    The tunnel uses HMAC-SHA2-384 authentication with ICV truncation to 192 bits.

  • SMF119IS_AUTH_HMAC_SHA2_512_256 (14)

    The tunnel uses HMAC-SHA2-512 authentication with ICV truncation to 256 bits.

  • SMF119IS_AUTH_AES128_XCBC_96 (9)

    The tunnel uses AES128-XCBC authentication with ICV truncation to 96 bits.
199(X'C7') SMF119IS_IKETunEncryptAlg 1 Binary Tunnel encryption algorithm. Possible values are:
  • SMF119IS_ENCR_DES(18)
  • SMF119IS_ENCR_3DES(3)
  • SMF119IS_ENCR_AES_CBC(12)

    AES encryption algorithm in Cipher Block Chaining (CBC) mode. See SMF119IS_IKETunEncryptKeyLength; it identifies the key length in use.
200(X'C8') SMF119IS_IKETunDHGroup 4 Binary Diffie-Hellman group used to generate keying material for this IKE tunnel.
204('xCC') SMF119IS_IKETunPeerAuthMethod 1 Binary Tunnel peer authentication method. Possible values are:
  • SMF119IS_IKETUN_PRESHAREDKEY (3)
  • SMF119IS_IKETUN_RSASIGNATURE (2)
  • SMF119IS_IKETUN_ECDSA_256 (4)
  • SMF119IS_IKETUN_ECDSA_384 (5)
  • SMF119IS_IKETUN_ECDSA_521 (6)
205(X'CD') SMF119IS_IKETunRole 1 Binary Tunnel role. Possible values are:
  • SMF119IS_IKETUN_INITIATOR (1)
  • SMF119IS_IKETUN_RESPONDER (2)
206(X'CE') SMF119IS_IKETunNATTLevel 1 Binary NAT traversal support level. Possible values are:
  • SMF119IS_IKETUN_NATTNONE (0): No NAT traversal support; support is either not configured or not negotiated.
  • SMF119IS_IKETUN_NATTRFCD2 (1): RFC 3947 draft 2 support.
  • SMF119IS_IKETUN_NATTRFCD3 (3): RFC 3947 draft 3 support.
  • SMF119IS_IKETUN_NATTRFC (4): RFC 3947 support with non-z/OS® peer.
  • SMF119IS_IKETUN_NATTZOS (5): RFC 3947 support with z/OS peer.
  • SMF119IS_IKETUN_NATTV2 (6): IKEv2 NAT traversal support.
  • SMF119IS_IKETUN_NATTV2ZOS (7): IKEv2 NAT traversal support with z/OS peer.
207(X'CF') SMF119IS_IKETunExtState 1 Binary Extended tunnel state information. Possible values are:
  • SMF119IS_EXTSASTATE_ACTIVATE (1): This value is a new Phase 1 activation. This value is valid only for record subtype 73.
  • SMF119IS_EXTSASTATE_REFRESH (2): This value is a Phase 1 refresh. This value is valid only for record subtype 73.
The following values are valid only for record subtype 74:
  • SMF119IS_EXTSASTATE_DEACT (3): This tunnel is deactivated (not as a result of error or negotiation failure).
  • SMF119IS_EXTSASTATE_PROPOSAL (4): Negotiation failure; no proposal matched the current policy.
  • SMF119IS_EXTSASTATE_RETRANS (5): Negotiation failure; a retransmit limit was encountered while negotiating this tunnel.
  • SMF119IS_EXTSASTATE_POLICY (6): Negotiation failure; a policy mismatch other than a proposal mismatch occurred. For example, no valid KeyExchangeRule value was set.
  • SMF119IS_EXTSASTATE_OTHER (7): Negotiation failure; the data in an ISAKMP packet was not valid, or an internal error occurred.
208(X'D0') SMF119IS_IKETunLifesize 8 Binary Tunnel lifesize.

If this value is not 0, this value indicates the lifesize limit for the tunnel, in bytes.
216(X'D8') SMF119IS_IKETunLifetime 4 Binary Tunnel lifetime.

This value indicates the total number of seconds the tunnel remains active.
220(X'DC') SMF119IS_IKETunLifetimeRefresh 4 Binary Tunnel lifetime refresh.

This value indicates the time at which the tunnel is refreshed (in UNIX format).
224(X'E0') SMF119IS_IKETunLifetimeExpire 4 Binary Tunnel lifetime expiration.

This value indicates the time at which the tunnel expires (in UNIX format).
228(X'E4') SMF119IS_IKETunRmtUDPPort 2 Binary Remote UDP port used for IKE negotiations.
230(X'E6') SMF119IS_IKETunLIDType 1 Binary ISAKMP identity type for the local security endpoint identity, as defined in RFC 2407.

ISAKMP peers exchange and verify identities as part of the IKE tunnel (phase 1) negotiation.
231(X'E7') SMF119IS_IKETunRIDType 1 Binary ISAKMP identity type for the remote security endpoint identity, as defined in RFC 2407.

ISAKMP peers exchange and verify identities as part of the IKE tunnel (phase 1) negotiation.
232(X'E8') SMF119IS_IKETunStartTime 4 Binary Tunnel start time.

Indicates the time at which the tunnel was activated or refreshed (in UNIX format).
236(X'EC') SMF119IS_IKETunMajorVer 1 Binary Major version of the IKE protocol in use. Only the low-order 4 bits are used.
237(X'ED') SMF119IS_IKETunMinorVer 1 Binary Minor version of the IKE protocol in use. Only the low-order 4 bits are used.
238(X'EE') SMF119IS_IKETunPseudoRandomFunc 1 Binary Pseudo-random function used for seeding keying material. One of the following values:
  • SMF119IS_AUTH_HMAC_MD5 (38)
  • SMF119IS_AUTH_HMAC_SHA1 (39)
  • SMF119IS_AUTH_HMAC_SHA2_256 (15)
  • SMF119IS_AUTH_HMAC_SHA2_384 (16)
  • SMF119IS_AUTH_HMAC_SHA2_512 (17)
  • SMF119IS_AUTH_AES128_XCBC (18)
239(X'EF') SMF119IS_IKETunLocalAuthMethod 1 Binary The authentication method for the local endpoint. One of the following values:
  • SMF119IS_IKETUN_PRESHAREDKEY (3)
  • SMF119IS_IKETUN_RSASIGNATURE (2)
  • SMF119IS_IKETUN_ECDSA_256 (4)
  • SMF119IS_IKETUN_ECDSA_384 (5)
  • SMF119IS_IKETUN_ECDSA_521 (6)
  • SMF119IS_IKETUN_DS (7)
240(X'F0') SMF119IS_IKETunReauthInterval 4 Binary Reauthentication interval. Indicates the number of seconds between reauthentication operations.
244(X'F4') SMF119IS_IKETunReauthTime 4 Binary Tunnel reauthentication time. Indicates the time at which the tunnel is reauthenticated (in UNIX format).
248(X'F8') SMF119IS_IKETunGeneration 4 Binary Tunnel generation number. The first IKE tunnel with a particular tunnel ID has generation 1. Subsequent refreshes of this IKE tunnel have the same tunnel ID, but with higher generation numbers.
252(X'FC') SMF119IS_IKETunEncryptKeyLength 4 Binary Encryption key length for variable-length algorithms, in bits. This value is 0 for encryption algorithms that have a fixed key length (such as DES and 3DES) and nonzero for encryption algorithms that have a variable key length (such as AES-CBC).
Result: Example values are 128 and 256.

Table 3 shows the IPSec local ID specific section.

Table 3. IPSec local ID specific section
Offset Name Length Format Description
0(X'0') SMF119IS_LocalID n EBCDIC Contents of the local identity used to negotiate the IKE tunnel. Regardless of the identity type, the value is expressed as an EBCDIC string (an IP address is returned in printable form).

Table 4 shows the IPSec remote ID specific section:

Table 4. IPSec remote ID specific section
Offset Name Length Format Description
0(X'0') SMF119IS_RemoteID n EBCDIC Contents of the remote identity used to negotiate the IKE tunnel. Regardless of the identity type, the value is expressed as an EBCDIC string (an IP address is returned in printable form).