Use the Dynamic IP Tunnels attributes to display the availability and performance statistics for dynamic IP tunnels known to the Internet Key Exchange (IKE) daemon and the TCP/IP stack.
This data is available for monitoring agents running under z/OS version 1.8 or higher.
Activation Method Indicates how the tunnel was activated. This value is stored as an integer and displayed as a string. Valid values are:
Authentication Algorithm Identifies the authentication algorithm used for this tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Authentication Protocol Identifies the authentication protocol to be used by the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Bytes The number of inbound and outbound bytes for this tunnel during the most recent time interval. The format is an integer.
Byte Rate The number of inbound or outbound bytes, per minute, for this tunnel during the most recent time interval. The format is an integer.
Collection Time The time and date of the data sampling. This time is displayed in the following format:
mm/dd/yy hh:mm:ss
Where:
The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where:
Current Life Size The number of bytes of data that have traversed the tunnel since the tunnel was activated. This value is zero (0) if no life size was negotiated for the tunnel. The format is an integer.
Dest NAT-OA Payload The destination network address translation original address (NAT-OA) payload. NAT-OA payloads are exchanged only for certain UDP-encapsulated tunnels. During NAT traversal negotiations, the Internet Key Exchange (IKE) peer sends the known destination IPv4 address. If NAT traversal negotiation does not occur, or if peer does not send a source NAT-OA payload, this column is blank. This column is stored as a 15-character string. This field is not displayed.
Destination Address Destination IP address for data protected by the tunnel. This value may be an IPv4 or IPv6 address. If the traffic protected by the tunnel may have any destination IP address, this field is displayed as blanks and stored as "0". If the traffic protected by the tunnel is a range of destination IP addresses, the value displayed is the lower address in the range. The format is a UTF-8 encoded character string of up to 45 characters
Destination Port Destination port for traffic protected by the tunnel. If the tunnel protects data for all destination ports, this value is 0. This field is represented by a 5-character string.
Diffie-Hellman Group Diffie-Hellman group used to generate keying material for the tunnel. Each group identifies the number of bits to be used in a prime number that is used to generate keying material. This column is blank if PFS (perfect forward security) was not negotiated for the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Encapsulation Mode Encapsulation mode to be used by the tunnel. This value is stored as an integer and displayed as a string. Valid values are:
Encryption Algorithm Tunnel encryption algorithm. This field is undefined if the tunnel state is PENDING or INCOMPLETE. A value of 99 is assigned to the field in this case and blanks are displayed. This value is stored as an integer and displayed as a string. Valid values are:
Extended State Indicates progress of tunnel negotiation. This value is stored as an integer and displayed as a string. Valid values are:
Filter Rule Definition Name The name specified for the filter rule definition that this tunnel is associated with. This column is stored as a 48-character string.
Inbound Authentication SPI Tunnel inbound authentication security parameter index (SPI). This SPI, combined with the other three SPIs, uniquely identifies a tunnel. This field is an unsigned 4-byte integer and is displayed in hexadecimal. This field is undefined and displayed as blanks if the state of the tunnel is PENDING or INCOMPLETE. This field is not displayed.
Inbound Bytes The number of inbound bytes for this tunnel during the most recent time interval. The format is an integer.
Inbound Encryption SPI Tunnel inbound encryption security parameter index (SPI). This SPI, combined with the other three SPIs, uniquely identifies a tunnel. This is an unsigned 4-byte integer and is displayed in hexadecimal. This field is undefined and displayed as blanks if the state of the tunnel is PENDING or INCOMPLETE. This field is not displayed.
Inbound Packets The number of inbound packets for this tunnel during the most recent time interval. The format is an integer.
Initiation Indicator Indicates if the local security endpoint may initiate dynamic tunnel negotiations with the remote security endpoint. Either security endpoint may initiate refreshes regardless of the value of this indicator. This value is stored as an integer and displayed as a string. Valid values are:
IP Address Version The version of the IP addresses being used for the traffic descriptor and the security endpoints. This value is stored as an integer and displayed as a string. Valid values are:
This field is not displayed.
Life Expiration Time The time at which the tunnel will expire. This column is blank if no life time was negotiated. This time is displayed in the following format:
mm/dd/yy hh:mm:ss
Where:
The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where:
Life Refresh Time The time at which the tunnel is refreshed. This column is blank if no life time was negotiated. This time is displayed in the following format:
mm/dd/yy hh:mm:ss
Where:
The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where:
Life Size The number of bytes of data that may traverse the tunnel over the life of the tunnel. This value is zero (0) if no life size was negotiated for the tunnel. The format is an integer.
Local Client ID The Internet Security Associations Key Management Protocol (ISAKMP) identity of local client. A string containing an identifier as described by Local Client ID Type. Some of the ID strings can get as long as 2048 characters. The ID is always truncated at 100 characters. If no IDs are exchanged, this fields contains blanks. The format is a string of up to 100 characters. This field is not displayed.
Local Client ID Type Internet Security Associations Key Management Protocol (ISAKMP) identity type for the local client ID as defined in RFC 2407. If client IDs were not exchanged during negotiation, this column is blank. This value is stored as an integer and displayed as a string. Valid values are:
This field is not displayed.
Local Dynamic VPN Rule Name The name specified on a z/OS Communications Server Policy Agent LocalDynVpnRule configuration statement. The statement describes traffic that is to be protected by a tunnel that is activated on demand using the ipsec command or when the Internet Key Exchange (IKE) daemon or the TCP/IP stack is started or both. This field is stored as blanks if the tunnel is not associated with a local rule. The name is a character string of up to 48 characters.
Local NAT Indicator Indicates if a NAT has been detected in front of the local security endpoint. This value is stored as an integer and displayed as a string. Valid values are:
Local Security Endpoint The IP address of the local security endpoint responsible for negotiating the tunnel. The format is a UTF-8 encoded character string of up to 45 characters.
Origin Node The unique identifier for the TCP/IP stack being displayed. The format is an alphanumeric string no longer than 32 characters. This field is not displayed.
Outbound Authentication SPI Tunnel outbound authentication security parameter index (SPI). This SPI, combined with the other three SPIs, uniquely identifies a tunnel. This is an unsigned 4-byte integer and is displayed in hexadecimal. This field is undefined and displayed as blanks if the state of the tunnel is PENDING or INCOMPLETE. This field is not displayed.
Outbound Bytes The number of outbound bytes for this tunnel during the most recent time interval. The format is an integer.
Outbound Encryption SPI Tunnel outbound encryption security parameter index (SPI). This SPI, combined with the other three SPIs, uniquely identifies a tunnel. This is an unsigned 4-byte integer and is displayed in hexadecimal. This field is undefined and displayed as blanks if the state of the tunnel is PENDING or INCOMPLETE. This field is not displayed.
Outbound Packets The number of outbound packets for this tunnel during the most recent time interval. The format is an integer.
Packet Rate The number of inbound or outbound packets, per minute, for this tunnel during the most recent time interval. The format is an integer.
Packets The number of inbound and outbound packets for this tunnel during the most recent time interval. The format is an integer.
Parent IKE Tunnel ID Tunnel ID for this tunnel's parent IKE (Phase 1) tunnel. The Internet Key Exchange (IKE) tunnel is used to negotiate the IP tunnel. This field is represented as a 48-character string.
Pending New Indicator Pending new activation indicator. If set, this field indicates that dynamic IP tunnel is in the pending state and it represents a new activation rather than a refresh. If it is not set, the tunnel is either not in pending state or is not a new activation. For z/OS Communications Server Version 1.7, the value will always be 0. This value is stored as an integer and displayed as a string. Valid values are
Protocol The IP protocol number for the data to be carried in the tunnel. A value of zero (0) indicates that tunnel protects data for any protocol. The format is an integer representing an Internet Engineering Task Force (IETF)-defined protocol number.
Refresh Life Size The number of bytes that may traverse the tunnel before a refresh is needed. This value is zero (0) if no life size was negotiated. The format is an integer.
Remote Client ID Internet Security Associations Key Management Protocol (ISAKMP) identity of remote client. A string containing an identifier as described by Remote Client ID Type. Some of the ID strings can get as long as 2048 characters. The ID is always truncated at 100 characters. If no IDs are exchanged, this field contains blanks. The format is a string of up to 100 characters. This field is not displayed.
Remote Client ID Type Internet Security Associations Key Management Protocol (ISAKMP) identity type for the remote client ID as defined in RFC 2407. If the client IDs were not exchanged during negotiation, this column is blank. This value is stored as an integer and displayed as a string. Valid values are:
This field is not displayed.
Remote IKE UDP Port The IKE UDP port of the remote security endpoint. This column is blank when UDP encapsulation is not being used by the tunnel. This column is stored as a 5-character string.
Remote NAPT Indicator Indicates if a network address port translation (NAPT) has been detected in front of the remote security endpoint. It is possible that an NAPT may exist but is detected only as a NAT. This value is stored as an integer and displayed as a string. Valid values are:
Remote NAT Indicator Indicates if a NAT has been detected in front of the remote security endpoint. This value is stored as an integer and displayed as a string. Valid values are:
Remote NAT Traversal Gateway Indicator Indicates if the remote security endpoint is acting as a NAT traversal gateway. If the remote security endpoint is acting as a NAT traversal gateway, the tunnel uses UDP encapsulation and the remote security endpoint is acting as an IPSec gateway. This value is stored as an integer and displayed as a string. Valid values are:
Remote Security Endpoint The IP address of the remote security endpoint responsible for negotiating the tunnel. The format is a UTF-8 encoded character string of up to 45 characters.
Remote zOS Indicator Indicates if the remote peer is a z/OS system. This can be detected only if NAT traversal is enabled. Even if NAT traversal is enabled, it is possible for the remote peer to be a z/OS system and this indicator not to be set. This value is stored as an integer and displayed as a string. Valid values are:
Source Address Source IP address for data protected by this tunnel. This value may be an IPv4 or IPv6 address. If the traffic protected by the tunnel may have any destination IP address, this field is displayed as blanks and stored as "0". If the traffic protected by the tunnel is a range of destination IP addresses, the value displayed is the lower address in the range. The format is a UTF-8 encoded character string of up to 45 characters.
Source NAT-OA Payload The source network address translation original address (NAT-OA) payload. NAT-OA payloads are exchanged only for certain UDP-encapsulated tunnels. During NAT traversal negotiations, the Internet Key Exchange (IKE) peer sends the source IPv4 address that it is aware of. If NAT traversal negotiation did not occur, or if peer did not send a source NAT-OA payload, this column is blank. This column is stored as a 15-character string. This field is not displayed.
Source Port Source port for traffic protected by tunnel. If the tunnel protects data for all source ports, this value is 0. This field is represented by a 5-character string.
State Current state of tunnel. This value is stored as an integer and displayed as a string. Valid values are:
SWSA Shadow Indicator Sysplex-Wide Security Associations shadow indicator. If this value is set, the tunnel is a SWSA shadow tunnel. This value is stored as an integer and displayed as a string.
Sysplex Name The name of the sysplex that the monitored system is part of. This field is not displayed.
System ID The SMF system ID. The format is an alphanumeric string no longer than 4 characters. This field is not displayed.
TCPIP STC Name The name of the TCP/IP job. The format is an alphanumeric string no longer than 8 characters. This field is not displayed.
Total Bytes The total number of inbound and outbound bytes for this tunnel since the tunnel was installed. The value in this column can be added to the product of 1,073,741,824 and the value in the Total Bytes (in G) column to calculate the total bytes for the tunnel. For SWSA tunnels, the value is for bytes that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Bytes (in G) The total number of inbound and outbound bytes for this tunnel since the tunnel was installed, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the Total Bytes column to calculate the total bytes for the tunnel. For SWSA tunnels, the value is for bytes that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Inbound Bytes The total number of inbound bytes for this tunnel since the tunnel was installed. The value in this column can be added to the product of 1,073,741,824 and the value in the Total Inbound Bytes (in G) column to calculate the total inbound bytes for the tunnel. For SWSA tunnels, the value is for bytes that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Inbound Bytes (in G) The total number of inbound bytes for this tunnel since the tunnel was installed, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the Total Inbound Bytes column to calculate the total inbound bytes for the tunnel. For SWSA tunnels, the value is for bytes that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Inbound Packets The total number of inbound packets for this tunnel since the tunnel was installed. The value in this column can be added to the product of 1,073,741,824 and the value in the Total Inbound Packets (in G) column to calculate the total inbound packets for the tunnel. For SWSA tunnels, the value is for packets that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Inbound Packets (in G) The total number of inbound packets for this tunnel since the tunnel was installed, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the Total Inbound Packets column to calculate the total inbound packets for the tunnel. For SWSA tunnels, the value is for packets that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Outbound Bytes The total number of outbound bytes for this tunnel since the tunnel was installed. The value in this column can be added to the product of 1,073,741,824 and the value in the Total Outbound Bytes (in G) column to calculate the total outbound bytes for the tunnel. For SWSA tunnels, the value is for bytes that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Outbound Bytes (in G) The total number of outbound bytes for this tunnel since the tunnel was installed, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the Total Outbound Bytes column to calculate the total outbound bytes for the tunnel. For SWSA tunnels, the value is for bytes that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Outbound Packets The total number of outbound packets for this tunnel since the tunnel was installed. The value in this column can be added to the product of 1,073,741,824 and the value in the Total Outbound Packets (in G) column to calculate the total outbound packets for the tunnel. For SWSA tunnels, the value is for packets that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Outbound Packets (in G) The total number of outbound packets for this tunnel since the tunnel was installed, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the Total Outbound Packets column to calculate the total outbound packets for the tunnel. For SWSA tunnels, the value is for packets that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Packets The total number of inbound and outbound packets for this tunnel since the tunnel was installed. The value in this column can be added to the product of 1,073,741,824 and the value in the Total Packets (in G) column to calculate the total packets for the tunnel. For SWSA tunnels, the value is for packets that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Total Packets (in G) The total number of inbound and outbound packets for this tunnel since the tunnel was installed, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the Total Packets column to calculate the total packets for the tunnel. For SWSA tunnels, the value is for packets that have traversed the tunnel since it was assigned to this stack only. The format is an integer.
Tunnel ID Tunnel identifier. This identifier is generated by TCP/IP and is not unique. Multiple related tunnels may have the same tunnel ID. The format is an alphanumeric string of up to 48 characters.
Upper Destination Address If the traffic protected by the tunnel is a range of destination IP addresses, this is the upper address in the range. This value may be an IPv4 or IPv6 address. If the traffic protected by the tunnel is not a range of addresses, this field is displayed as blanks and stored as "0". The format is a UTF-8 encoded character string of up to 45 characters.
Upper Source Address If the traffic protected by the tunnel is a range of source IP addresses, this is the upper address in the range. This may be an IPv4 or IPv6 address. If the traffic protected by the tunnel is not a range of addresses or is all addresses, this field is stored as blanks. The format is a UTF-8 encoded character string of up to 45 characters.
Note: For comparison, leading zeros are added for unspecified digits in IPv4 and IPv6 addresses when they are stored.
VPN Action Name The name specified on a virtual private network (VPN) action definition statement. The VPN action describes how to protect the traffic that flows through the tunnel. It specifies attributes of the tunnel, such as what type of encryption to use. The format of the name is a character string of up to 48 characters.
VPN Life Expiration Time The time at which the tunnel should no longer be refreshed. This column is blank if no life time was negotiated for the VPN (security attributes implemented by the tunnel). This time is displayed in the following format:
mm/dd/yy hh:mm:ss
Where:
The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where: