EZD1151I

Explanation
 Dynamic tunnel activation is denied as a result
of a configured source or destination data IP address constraint.
See the information about the KeyExchangeAction
statement in z/OS Communications Server: IP Configuration
Reference for an explanation of data address constraints. 
 In
the message text: actionname
The name of the KeyExchangeAction statement configured with a
source or destination IP address constraint.
source_ip
The source IP address of the dynamic tunnel.
dest_ip
The destination IP address of the dynamic tunnel.

System action
 The dynamic tunnel activation fails; IKE daemon
processing continues.

Operator response
 Contact the system programmer.

System programmer response
 If the tunnel activation should be
permitted, then do one of the following to correct the configuration.
   When IPSec policy is configured with the IBM® Configuration Assistant for z/OS®  Communications Server, add a connectivity
rule with a local data endpoint that matches the source_ip value
and a remote data endpoint that matches the dest_ip value
at the top of the  rule list.  
When IPSec policy is configured without the IBM Configuration Assistant  for  z/OS Communications Server, update the KeyExchangeAction
ConstrainSource or  ConstrainDest configuration to include the source_ip value
and the dest_ip value.  See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration
Reference for more information about configuring policy. 

 If the tunnel activation should not be permitted, then
determine whether the tunnel was activated locally or remotely.  If
the source_ip value matches the IP address value
in the Local IPSec Client ID information from the Security Association
(SA) Context Information that was output with the message, then the
tunnel was activated locally.   Otherwise, the tunnel was activated
remotely.  If the tunnel was activated locally but should not be permitted,
then correct the local IpFilterPolicy statement to block the activation.
See the information about Policy Agent and policy
applications in z/OS Communications Server: IP Configuration
Reference for more information about configuring the
IpFilterPolicy statement.  If the tunnel was activated remotely but
should not be permitted, then contact the owner of the remote system
to request that the activation be blocked on that system.

User response
 Not applicable.

Problem determination
 Not applicable.

Source
 z/OS Communications
Server TCP/IP: IKE daemon

Module
 policymgr.cpp

Routing code
 Not applicable for syslog message.

Descriptor code
 Not applicable for syslog message.

Automation
 This message goes to the syslog.

Example
  Jun 19 22:34:08 MVS073 IKE: Message instance 3:  *** SA Context Information *** 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  Phase 2 SAID : 0          Assoc P1 ID : 2 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  Stackname : TCPCS1   
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  Local IPSec Client ID info  : Ipv4 1.1.0.1 Port: Any 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  Remote IPSec Client ID info : IPV4 Subnet 0.0.0.0/0 Port: Any 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  Local IPSec IP info : 1.1.0.1 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  Remote IPSec IP info : 1.2.0.1 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  Protocol : UDP(17) 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  LocalDynVpnRuleName : udpvpn1 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  AH SPIs in/out : 0 / 0 
Jun 19 22:34:08 MVS073 IKE: Message instance 3:  ESP SPIs in/out : 0 / 0 
Jun 19 22:34:08 MVS073 IKE: Message instance 3: EZD1151I KeyExchangeAction ConstrainedAction1 prevents the 
    creation of a dynamic tunnel with source data endpoint specification 1.1.0.1 and destination data endpoint 
    specification 0.0.0.0/0 