Use the IKE tunnels attribute to display availability and performance statistics for IKE tunnels known to the IKE daemon for a specific stack. IKE tunnels are used by a security endpoint (IKE daemon) to negotiate dynamic IP tunnels.
This data is available for monitoring agents running under z/OS version 1.8 or higher.
Active Dynamic Tunnels Current count of active dynamic tunnels associated with this Internet Key Exchange (IKE) tunnel. The format is an integer.
Authentication Algorithm The authentication algorithm used for this tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Byte Rate The number of bytes protected, per minute, for this tunnel during the most recent time interval. The format is an integer.
Bytes The number of bytes protected by this tunnel during the most recent time interval. The format is an integer.
Collection Time The time and date of the data sampling. This time is displayed in the following format:
mm/dd/yy hh:mm:ss
Where:
The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where:
Diffie-Hellman Group Diffie-Hellman group used to generate keying material for the tunnel. Each group identifies the number of bits to be used in a prime number that is used to generate keying material. This column is blank if PFS (perfect forward security) was not negotiated for the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Encryption Algorithm Encryption algorithm used by the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Exchange Mode Exchange mode used by a tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Extended State Indicates the progress of the tunnel negotiation. This value is stored as an integer and displayed as a string. Valid values are:
In Progress Dynamic Tunnels Current count of in-progress dynamic tunnels associated with this Internet Key Exchange (IKE) tunnel. The format is an integer.
Initiation Indicator Indicates if the local security endpoint may initiate Internet Key Exchange (IKE) tunnel negotiations with the remote security endpoint. Either security endpoint may initiate refreshes regardless of the value of this indicator. This value is stored as an integer and displayed as a string. Valid values are:
Initiator Cookie A string of hexadecimal digits that, when combined with the Responder Cookie, uniquely identifies the SA for the tunnel. This value is stored as a 16-character string. This field is not displayed.
IP Address Version The version of the IP addresses being used for the security endpoints.This value is stored as an integer and displayed as a string. Valid values are:
This value is not displayed.
Key Exchange Action Name The name specified on a z/OS Communications Server Policy Agent KeyExchangeAction configuration statement. This name identifies the action being used to activate this Internet Key Exchange (IKE) tunnel. Key exchange actions describe how key exchanges between security endpoints should be protected. This field is stored as a 48-character string.
Key Exchange Rule Name The name specified on a z/OS Communications Server Policy Agent KeyExchangeRule configuration statement. This name identifies the rule being used to activate this Internet Key Exchange (IKE) tunnel. Key exchange rules identify the security endpoints for an IKE tunnel and the policy to be used for the tunnel by referencing a key exchange action. This field is stored as a 48-character string.
Life Expiration Time The time at which the tunnel will expire. This column is blank if no life time was negotiated. This time is displayed in the following format:
mm/dd/yy hh:mm:ss
Where:
The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where:
Life Refresh Time The time at which the tunnel is refreshed. This column is blank if no life time was negotiated. This time is displayed in the following format:
mm/dd/yy hh:mm:ss
Where:
The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where:
Life Size The number of bytes of data that may traverse the tunnel over the life of the tunnel. This value is 0 if no life size was negotiated for the tunnel. The format is an integer.
Life Time The amount of time, in seconds, that the tunnel is to remain active. The format is an integer.
Local NAT Indicator Indicates if network address translation (NAT) has been detected in front of the local security endpoint. This value is stored as an integer and displayed as a string. Valid values are:
Local Security Endpoint The IP address of the local security endpoint (IKE) responsible for negotiating the tunnel. The format is a UTF-8 encoded character string of up to 45 characters.
Local Security Endpoint ID Internet Security Associations Key Management Protocol (ISAKMP) identity of local security endpoint. This field is a string containing an identifier, as described by local security endpoint ID type. Some ID strings can be as long as 2048 characters. The ID is always truncated at 100 characters. If no IDs are exchanged, this field is stored as blanks. This field is not displayed.
Local Security Endpoint ID Type Internet Security Associations Key Management Protocol (ISAKMP) identity type for the local security endpoint as defined in RFC 2407. If client IDs were not exchanged during negotiation, this column is blank. ISAKMP peers exchange and verify each other's identities as part of the Internet Key Exchange (IKE) tunnel (Phase 1) negotiation. This value is stored as an integer and displayed as a string. Valid values are:
This field is not displayed.
NAT Traversal Indicator Indicates if the network address translation (NAT) traversal function is enabled for the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
NAT Traversal Support Level Indicates the type of network address translation (NAT) traversal support being used. This value is stored as an integer and displayed as a string. Valid values are:
Origin Node The unique identifier for the TCP/IP stack being displayed. The format is an alphanumeric string no longer than 32 characters. This field is not displayed.
Peer Authentication Method Peer authentication method. This value is stored as an integer and displayed as a string. Valid values are:
Percent Failed Activations The percent of dynamic tunnel activations that have failed for this Internet Key Exchange (IKE) tunnel. The format is a number between 0 and 100 inclusive.
Percent In Progress Dynamic Tunnels The percentage of dynamic tunnels in progress compared to active dynamic tunnels. The format is a number between 0 and 100 inclusive.
Remote IKE UDP Port Remote UDP port used for Internet Key Exchange (IKE) negotiations. This column is stored as a 5-character string.
Remote NAT Indicator Indicates if a NAT has been detected in front of the remote security endpoint. This value is stored as an integer and displayed as a string. Valid values are:
Remote NAPT Indicator Indicates if a network address port translation (NAPT) has been detected in front of the remote security endpoint. It is possible that a NAPT may exist but is detected only as a NAT. This value is stored as an integer and displayed as a string. Valid values are:
Remote Security Endpoint The IP address of the remote security endpoint (IKE) responsible for negotiating the tunnel. The format is a UTF-8 encoded character string of up to 45 characters.
Remote Security Endpoint ID Internet Security Associations Key Management Protocol (ISAKMP) identity of remote security endpoint. This field is a string containing an identifier, as described by remote security endpoint ID type. Some ID strings can be as long as 2048 characters. The ID is always truncated at 100 characters. If no IDs are exchanged, this field is stored as blanks. This field is not displayed.
Remote Security Endpoint ID Type Internet Security Associations Key Management Protocol (ISAKMP) identity type for the remote security endpoint as defined in RFC 2407. If client IDs were not exchanged during negotiation, this column is blank. ISAKMP peers exchange and verify each other's identities as part of the Internet Key Exchange (IKE) tunnel (Phase 1) negotiation. This value is stored as an integer and displayed as a string. Valid values are:
This field is not displayed.
Responder Cookie A string of hexadecimal digits that, when combined with the Initiator Cookie, uniquely identifies the SA for the tunnel. This value is stored as a 16-character string. This field is not displayed.
Role Role of the local security endpoint in the activation of the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
State Current state of the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Sysplex Name The name of the sysplex that the monitored system is part of. This field is not displayed.
System ID The SMF system ID. The format is an alphanumeric string no longer than 4 characters. This field is not displayed.
TCPIP STC Name The name of the TCP/IP job. The format is an alphanumeric string no longer than 8 characters. This field is not displayed.
Total Bytes The cumulative number of bytes protected by this tunnel since the tunnel was activated. The value in this column can be added to the product of 1,073,741,823 and the value in the Total Bytes (in G) column to calculate the total bytes for the tunnel. For SWSA tunnels, the value is for bytes that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Bytes (in G) The cumulative number of bytes protected by this tunnel since the tunnel was activated, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,823 and added to the value in the Total Bytes column to calculate the total bytes for the tunnel. The format is an integer.
Total Failed Local Activations Cumulative count of failed locally initiated dynamic tunnel activations for this Internet Key Exchange (IKE) tunnel. The format is an integer.
Total Failed Remote Activations Cumulative count of failed remotely initiated dynamic tunnel activations for this Internet Key Exchange (IKE) tunnel. The format is an integer.
Total Successful Local Activations Cumulative count of successful locally initiated dynamic tunnel activations for this Internet Key Exchange (IKE) tunnel. The format is an integer.
Total Successful Remote Activations Cumulative count of successful remotely initiated dynamic tunnel activations for this Internet Key Exchange (IKE) tunnel. The format is an integer.
Tunnel ID Tunnel identifier. This identifier is generated by the Internet Key Exchange (IKE) daemon and is not unique. Multiple related tunnels may have the same tunnel ID. This value is a character string of up to 48 characters.