IBM Support

How can I verify that a manual IPSec tunnel is actually passing data?

Question & Answer


Question

What command can I use to verify that a manual IPSEC tunnel between z/OS and a firewall is actually passing data ?

Answer

  1. Obtain the manual tunnel ID by locating the TunnelID field in the ipsec -f display command output. The Tunnel ID for a manual tunnel has a value of M, followed by a positive integer.

  2. Verify that the manual tunnel is active, by issuing the ipsec -m display -a Mxx command, where Mxx is the manual tunnel ID from the tunnel display command.

  3. Locate the State field in the ipsec -m command output and confirm that it indicates Active. If the manual tunnel is not active, then activate the tunnel using the ipsec -m activate command. You might consider updating the IpManVpnAction policy configuration statement to specify Active yes, if it is not already specified. A setting of Active yes causes the manual tunnel state to be set to active when the manual tunnel is installed in the stack, without the additional step of issuing ipsec -m activate. If you are using the IBM® Configuration Assistant for z/OS® Communications Server to configure, you can choose to automatically activate manual tunnels within each Connectivity Rule.

  4. To verify if a manual tunnel is passing data, check the OutboundPackets, OutboundBytes, InboundPackets, and InboundBytes fields in the ipsec -m display command output. Those fields will display the number of packets and bytes flowing inbound and outbound over this tunnel.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
06 August 2015

UID

dwa1206615