Use the IpDynVpnAction statement to indicate how selected data traffic between two security endpoints should be protected utilizing dynamically established security associations. An IpDynVpnAction statement contains inline definitions or references to IpDataOffer statements, or both.
>>-IpDynVpnAction--name--| Put Braces and Parameters on Separate Lines |->< Put Braces and Parameters on Separate Lines |--+-{-----------------------------+----------------------------| +-| IpDynVpnAction Parameters |-+ '-}-----------------------------' IpDynVpnAction Parameters .-Pfs None---------. .-Initiation Either----------. |--+------------------+--+----------------------------+---------> '-Pfs--+-Group1--+-' '-Initiation--+-LocalOnly--+-' +-Group2--+ +-RemoteOnly-+ +-Group5--+ '-Either-----' +-Group14-+ '-None----' .-VpnLife 1440-. .-InitiateWithPfs None---------. >--+--------------+--+------------------------------+-----------> '-VpnLife n----' '-InitiateWithPfs--+-Group1--+-' +-Group2--+ +-Group5--+ +-Group14-+ +-Group19-+ +-Group20-+ +-Group21-+ +-Group24-+ '-None----' .--------------------------------. V .-AcceptablePfs None---------. | >----+----------------------------+-+---------------------------> '-AcceptablePfs--+-Group1--+-' +-Group2--+ +-Group5--+ +-Group14-+ +-Group19-+ +-Group20-+ +-Group21-+ +-Group24-+ '-None----' .-HowToEncapIKEv2 Either---------. >--+--------------------------------+---------------------------> '-HowToEncapIKEv2--+-Tunnel----+-' +-Transport-+ '-Either----' .-PassthroughDF Yes----------------. >--+----------------------------------+-------------------------> | .-Clear-. | '-PassthroughDF--+-No--+-------+-+-' | +-Set---+ | | '-Clear-' | '-Yes-----------' .-------------------------. .-PassthroughDSCP Yes------. V | >--+--------------------------+----+-IpDataOffer---------+-+----| '-PassthroughDSCP--+-No--+-' '-IpDataOfferRef name-' '-Yes-'
Restriction: Group 1 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group 2 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group 5 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Guideline: If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5,14,19,20, or 24. If you are using encryption or authentication algorithms with a key length of 256 bits or greater, use Diffie-Hellman group 21.
Rule: Pfs is deprecated. Use InitiateWithPfs and AcceptablePfs parameters instead. If you use Pfs, then InitiateWithPfs and AcceptablePfs are set to the Pfs value.
Restriction: Do not use the Pfs parameter in conjunction with the InitiateWithPfs or AcceptablePfs parameters.
Restriction: Group 1 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group 2 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group 5 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Result: For negotiations using IKE version 1, the AcceptablePfs list is used when the z/OS® IKE daemon is the responder for a security association. For negotiations using IKE version 2, the AcceptablePfs list is used in both initiator and responder modes.
Guideline: If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5,14,19,20, or 24. If you are using encryption or authentication algorithms with a key length of 256 bits or greater, use Diffie-Hellman group 21.
Rule: The InitiateWithPfs Diffie-Hellman group must be specified as one of the values in the AcceptablePfsList parameter.
Restriction: Do not use the Pfs parameter in conjunction with the InitiateWithPfs or AcceptablePfs parameters.
Restriction: Group 1 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group 2 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: Group 5 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Result: For negotiations using IKE version 1, the InitiateWithPfs selection is used when sending the proposal. For negotiations using IKE version 2, all PFS selections specified on the AcceptablePfs list are included when sending the proposal, but the InitiateWithPfs selection is sent as the first choice.
Guideline: If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5,14,19,20, or 24. If you are using encryption or authentication algorithms with a key length of 256 bits or greater, use Diffie-Hellman group 21.
Tip: Specify the Transport keyword on the HowToEncapIKEv2 parameter if you want to reject the SA if the peer responds requiring tunnel mode.
Use the mode proposed by the initiator when responding to a negotiation that was initiated by an IKE peer.
Tip: Specify the Either keyword on the HowToEncapIKEv2 parameter if you want to propose transport mode but are willing to use tunnel mode if the peer responds requiring tunnel mode.
When responding to a remote initiation, if the initiator requests tunnel mode, the negotiation is rejected with a NO_PROPOSAL_CHOSEN notification.
Restriction: The HowToEncapIKEv2 parameter is ignored when negotiating IKE version 1 tunnels. The encapsulation mode for IKE version 1 security associations is determined by the HowToEncap value on the selected IpDataOffer.
Restriction: This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
Restriction: A IpDynVpnAction statement is limited to a maximum of 48 IpDataOffer or IpDataOfferRef statements.
Restriction: A IpDynVpnAction statement is limited to a maximum of 48 IpDataOffer or IpDataOfferRef statements.