z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1160I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1160I
Policy mismatch: IpDynVpnAction statement_name requires parameter parameter_name with value policy_value but the value selected by the IKE peer is peer_value

Explanation

The Internet Key Exchange (IKE) daemon was unable to accept a value selected by the IKE peer because the value is not allowed by the local policy. The Security Association negotiation will fail. Message EZD1022I will be issued to syslog and will indicate the failure.

In the message text:
statement_name
  • In the policy agent configuration file, the statement_name value is the name specified on the applicable IpDynVpnAction statement.
  • If the policy agent is configured with the IBM® Configuration Assistant for z/OS® Communications Server, the statement_name value corresponds to the name of the security level in the GUI. The value also contains a numeric suffix appended to the security level name to guarantee uniqueness.
parameter_name
The IpDynVpnAction parameter that encountered a mismatch. See the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about the parameter specified.
policy_value
The IpDynVpnAction parameter value that does not match the value selected by the IKE peer.
peer_value
The value selected by the IKE peer that does not match the policy_value value.

System action

The negotiation fails; the IKE daemon continues.

Operator response

Notify the system programmer.

System programmer response

Ensure that the IpDynVpnAction statement is configured correctly. Alter either the local policy to accept the value specified by peer_value in this statement or notify the administrator of the remote security endpoint about the mismatch and ask the administrator to alter the remote configuration to propose the policy_value value required by the local policy. See the Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference for more information about configuring policy.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS Communications Server TCP/IP: IKE daemon

Module

IKEv2TSRequest.cpp

Routing code

2

Descriptor code

5

Automation

Not applicable.

Example

EZD1160I Policy mismatch: IpDynVpnAction p2_action requires parameter HowToEncapIKEv2
with value Transport but the value selected by the IKE peer is Tunnel

Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014