z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1089I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1089I
A tunnel mode Security Association traversing a NAT does not have its local IPSec traffic endpoint residing on this node

Explanation

During the negotiation of a tunnel mode Security Association (SA), it was determined that the local IPSec traffic endpoint did not end on this z/OS® node. z/OS is providing NAT Traversal support for a defined group of configurations where z/OS is running the IKE daemon. See the information about IP security in z/OS Communications Server: IP Configuration Guide for a description of the supported configurations.

System action

The tunnel mode SA negotiation fails; IKE daemon processing continues.

Operator response

Contact the system programmer.

System programmer response

Alter the local policy configuration so that the local IPSec traffic endpoint is local to this z/OS.

When configured without the IBM® Configuration Assistant for z/OS Communications Server, in the policy agent configuration file, this IP address is the IpSourceAddr parameter on the IpFilterRule. See the information about the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy.

When configured with the IBM Configuration Assistant for z/OS Communications Server, edit the corresponding Connectivity Rule in the GUI and ensure the local data endpoint address is one that is local to the TCP/IP stack. Gateway-to-host and gateway-to-gateway topologies are not supported for NAT. See the online helps in the GUI for additional information.

Module

oakley_phaseII.cpp

Procedure name

None.

Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014