<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Times New Roman","serif";}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Times New Roman","serif";
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Times New Roman","serif";
font-weight:bold;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:176844644;
mso-list-type:hybrid;
mso-list-template-ids:282470424 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m new here and I was hoping if to find some help. I have built many IPSec tunnels between z/OS mainframes and Microsoft servers. This is my first attempt at trying to build a IPSec host to host between RHEL and a z/OS mainframe. Though
it seems it should work in theory, without much luck so far, as I am trying to do the following:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">(left) RHEL = lsysg01a <o:p></o:p></p>
<p class="MsoNormal">(right) z/OS mainframe = 10.y.y.y<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>CA server is on the mainframe<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>A site certificate is created and imported to the RHEL machine<o:p></o:p></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""># pk12util -i LSYSG01AOS28.p12 OS28CA.p12 -d /etc/ipsec.d<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">Enter Password or Pin for "NSS Certificate DB"<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">Enter password for PKCS12 file<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">pk12util: PKCS12 IMPORT SUCCESSFUL<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Displaying key database shows the certificates<o:p></o:p></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""># certutil -L -d /etc/ipsec.d/<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">Certificate Nickname Trust Attributes<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> SSL,S/MIME,JAR/XPI<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">lsysg01a u,u,u<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">IKE DAEMON CA ,,<o:p></o:p></span></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Display of my /etc/ipsec.d/ipsec.conf<o:p></o:p></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""># cat ipsec.conf<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">config setup<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""># Connections are added below<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">conn testOS28<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> type=transport<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> left=10.x.x.x<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> leftcert=lsysg01a<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> right=10.y.y.y<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> ike=aes256-sha1-modp2048<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> keylife=480m<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> ikelifetime=1440m<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> phase2=esp<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> phase2alg=aes256-sha1-modp2048<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> authby=rsasig<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> auto=start<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> pfs=yes<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""># Inlcude other configuration files<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""> include /etc/ipsec.d/*.conf<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Display of /etc/ipsec.secrets<o:p></o:p></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New""># cat ipsec.secrets<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-family:"Courier New"">: RSA "IKE DAEMON CA"<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I do not have iptables activated. IPSEC starts without errors. I do not know where the logged messages can be found to troubleshoot this further. On the mainframe side, I see this message (which indicates there is a mismatch in tunnel
definition):<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dec 29 11:29:29 OS28 TRMD.INET[32]: EZD0833I Packet denied, tunnel mismatch: 12/29/2014 16:29:28.68 filter rule= RHEL_LSYSG01A~7 ext= 2 sipaddr= 10.x.x.x dipaddr= 10.y.y.y proto= icmp(1) type= 8 code= 0 -= Interface= 10.82.X.X (I) dest=
local len= 84 tunnelID= N/A decap_tunnelID= N/A ifcname= LOSA42P0 fragment= N<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is the ‘right’ tunnel definition:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:18.0pt;font-family:"Times New Roman","serif"">Security Level: PFS - AES 256 FIPS Compliant Settings<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Type:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Dynamic Tunnel
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Encryption:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">AES CBC 256-bit key (first choice)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Authentication:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">SHA1 (first choice)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Protocol:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">ESP (first choice)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:13.5pt;font-family:"Times New Roman","serif"">Advanced Security Level Settings<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">VPN Life:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">1440 Minutes
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Initiator PFS Level:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">None
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Acceptable PFS Levels:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">None<br>
Diffie-Hellman Group14<br>
Diffie-Hellman Group19<br>
Diffie-Hellman Group20<br>
Diffie-Hellman Group21<br>
Diffie-Hellman Group24<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">How to set the do not fragment bit:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Propagate
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">How to set the DSCP field:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Propagate<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKEv1 Dynamic tunnel encapsulation mode:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Transport
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKEv2 Dynamic tunnel encapsulation mode:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Either
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Local Security Endpoint for the Dynamic Tunnels:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">10.y.y.y
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Local IKE Identity for Dynamic Tunnels:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Courier New"">CN=IKED DAEMON RSA,C=USA<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">(X500 Name)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Remote Security Endpoint for the Dynamic Tunnels:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">10.x.x.x
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Remote IKE Identity for Dynamic Tunnels:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Courier New"">CN=lsysg01a,C=USA<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">(X500 Name)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">How to authenticate IKE (IKEv1):</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Digital Signature (RSA)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">How to authenticate IKE (IKEv2):</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Digital Signature (ECDSA or RSA)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKE Initiator mode:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKEv1 main mode
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKEv1 Responder mode:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Main
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKEv1 NAT Traversal:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Not allowed
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Bypass IP validation:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Use stack level setting (Yes)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Certificate revocation checking preference:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">None
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKEv2 URL certificate lookup preference:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Use stack level setting (Tolerate)
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">IKEv2 authentication interval:</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Do not automatically reauthenticate<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any ideas??<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">David<o:p></o:p></p>
</div>
</body>
</html>