EZD1799I

Explanation
 The Internet Key Exchange (IKE) daemon tried to
activate a phase 2 Security Association (SA) that will  traverse a
network address translation (NAT) device, but the identity specified
 for the local data endpoint in the policy for this SA defined a range
of local  IP addresses that is to be protected by the SA.  When traversing
a NAT, the IP address of  the local data endpoint must be specified
as a single host address. 
 Additional diagnostic messages that
have the same message instance number will  be issued to identify
the impacted Security Association (SA). The message  instance number
precedes the message number in the log output and is used to  group
related messages from the IKE daemon.   
 In the message text:
 ipaddress_range
The IP address range that was specified for the local data endpoint.

System action
 The phase 2 SA negotiation fails; IKE daemon
processing continues. 

Operator response
 Contact the system programmer.

System programmer response
 Ensure that only single host addresses
are specified as data endpoints when  traversing a NAT. Notify the
administrator of the remote security endpoint and  ask the administrator
to ensure that only single IPv4 addresses are specified  as data endpoints
when traversing a NAT. 

User response
 Not applicable.

Problem determination
 None.

Source
 z/OS® Communications
Server TCP/IP: IKE daemon

Module
 oakley_phaseII.cpp

Routing code
 11

Descriptor code
 7

Automation
 This message is output to syslog.

Example
  EZD1799I IKE cannot initiate with local data addresses 9.42.130.0/24 for a Security Association 
         traversing a NAT
EZD1799I IKE cannot initiate with local data addresses 9.42.130.0-9.42.130.128 for a Security Association 
         traversing a NAT