IBM Support

When using the Configuration Assistant for z/OS Communications Server to configure IP Security, what do I specify as the RemoteSecurityEndpoint IpAddr when using an IP Group?

Question & Answer


Question

When using the Configuration Assistant for z/OS Communications Server to define IPSec policy information, I can code an IP Address Group for the Remote Data Endpoint. What do I code for the Remote Security Endpoint IP Address as this only allows a single entry?

Answer

The Remote Security Endpoint IP Address can be coded as a subnet (1.1.1.0/24) or a range (1.1.1.1-1.1.1.40), but if the remote IKE partners you want to define are not in the same subnet, this will not help. In this instance, code the Remote Security Endpoint IP address as 0.0.0.0 or 0.0.0.0/0 and allow the IP Address Group to be referenced by the LocationGroupRef value.

The IP Security Policy file that the Configuration Assistant generated will contain the following type of definitions:

 ## IP address group for remote endpoints
 IpAddrGroup                    Mike_IP_Group
 {
     IpAddr
     {
         Addr 1.1.1.1
     }
     IpAddr
     {
         Addr 2.2.2.2
     }
     IpAddr
     {
         Addr 3.3.3.3
     }
 }
 
 RemoteSecurityEndpoint         MRGroupIPSecRule~RSE~2
 {
   Identity                     IpAddr 0.0.0.0
   LocationGroupRef             Mike_IP_Group
 }
 

The above answer assumes that the rule is using Host to Host topology and the field referenced by the sentence "What do I code for the Remote Security Endpoint IP Address as this only allows a single entry?" is referring to the remote IKE identity.

The remote identity can be a variety of types, not just an IP address. However, it must match the identity coded on the remote IKE system.

If the rule is Host to Gateway, you do have to configure the IP address of the remote IKE system.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
04 January 2016

UID

dwa1246460