Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZD1089I z/OS Communications Server: IP Messages Volume 2 (EZB, EZD) SC27-3655-01 |
|
EZD1089I A tunnel mode Security Association traversing a NAT does
not have its local IPSec traffic endpoint residing on this node ExplanationDuring the negotiation of a tunnel mode Security Association (SA), it was determined that the local IPSec traffic endpoint did not end on this z/OS® node. z/OS is providing NAT Traversal support for a defined group of configurations where z/OS is running the IKE daemon. See the information about IP security in z/OS Communications Server: IP Configuration Guide for a description of the supported configurations. System actionThe tunnel mode SA negotiation fails; IKE daemon processing continues. Operator responseContact the system programmer. System programmer responseAlter the local policy configuration so that the local IPSec traffic endpoint is local to this z/OS. When configured without the IBM® Configuration Assistant for z/OS Communications Server, in the policy agent configuration file, this IP address is the IpSourceAddr parameter on the IpFilterRule. See the information about the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy. When configured with the IBM Configuration Assistant for z/OS Communications Server, edit the corresponding Connectivity Rule in the GUI and ensure the local data endpoint address is one that is local to the TCP/IP stack. Gateway-to-host and gateway-to-gateway topologies are not supported for NAT. See the online helps in the GUI for additional information. Moduleoakley_phaseII.cpp Procedure nameNone. |
Copyright IBM Corporation 1990, 2014
|