Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZD1925I z/OS Communications Server: IP Messages Volume 2 (EZB, EZD) SC27-3655-01 |
|
EZD1925I IKE detected a NAT while initiating a new transport mode
IKEv2 dynamic tunnel with a non-z/OS peer ExplanationThe Internet Key Exchange (IKE) daemon is initiating a transport-mode Security Association (SA) for a new IKEv2 dynamic tunnel with a non-z/OS peer. The SA traverses a Network Address Translation (NAT) device. There might be problems with interoperability with the non-z/OS peer for a transport-mode SA. z/OS® is providing NAT traversal support for a defined group of configurations where z/OS is running the IKE daemon. See the IP security in z/OS Communications Server: IP Configuration Guide for a description of the supported configurations and interoperability considerations. System actionThe SA negotiation continues. Operator responseIf the SA negotiation fails or if data cannot be successfully sent over the SA, contact the system programmer. System programmer responseDetermine whether there is an interoperability concern that caused the SA negotiation or data flow to fail. See the IP security in z/OS Communications Server: IP Configuration Guide for a description of the supported configurations and interoperability considerations. Confirm that the non-z/OS peer supports transport-mode with NAT traversal as defined in RFC 5996 section 2.23.1. A possible solution is to use a tunnel-mode IpDynVpnAction object instead of a transport-mode IpDynVpnAction object. See the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy. User responseNot applicable. Problem determinationNot applicable. Sourcez/OS Communications Server TCP/IP: IKE daemon ModuleCommonIPsecSA.cpp Routing code2 Descriptor code5 AutomationNot applicable. Example
|
Copyright IBM Corporation 1990, 2014
|