Explanation
The Internet Key Exchange (IKE) daemon does not
support a traffic selector specification that it received from an
IKEv2 peer. The IKE daemon does not support the following types of
traffic selectors:
- Traffic selectors that use a distinct set of port values instead
of a contiguous range; these traffic selectors are called disjoint
traffic selectors. If the peer is acting as an initiator, the IKE
daemon attempts to find a pairing of its proposed traffic selectors
that is not disjoint. However, if the peer is acting as a responder,
the IKE daemon cannot accept a counter-proposal that contains disjoint
traffic selectors, so it fails the tunnel activation.
- Traffic selectors that are asymmetrical; for example, traffic
selectors that contain ICMP type 13 in one direction, but ICMP type
14 in the other direction. If the peer is acting as an initiator,
the IKE daemon attempts to find a pairing of its proposed traffic
selectors that is not asymmetrical. If the peer is acting as a responder
and its returned traffic selectors are asymmetrical, the IKE daemon
fails the tunnel activation.
- Traffic selectors that contain port, type, or code specifications
for any protocol other than TCP, UDP, ICMP, ICMPv6, or MIPv6. RFC
5996 Internet Key Exchange (IKEv2) Protocol makes provisions
for negotiating port, type, and code values for these protocols.
If the peer is acting as an initiator, the IKE daemon attempts to
find a pairing of its proposed traffic selectors that has recognizable
port, type, and code specifications. If the peer is acting as a responder
and its returned traffic selectors contain any unrecognized port,
type, or code specifications, the IKE daemon fails the tunnel activation.
See Related protocol specifications for information about accessing
RFCs.
To perform further diagnosis, enable the formatted packet
trace option in your IkeSyslogLevel configuration settings, and retry
tunnel activation. Your syslog contains the exact traffic selector
values that the peer is proposing.
System action
The tunnel activation fails; IKE daemon processing
continues.
Operator response
System programmer response
Contact the administrator of the
remote IKE peer node to modify their policies so that the resulting
traffic selectors are compatible with the restrictions listed above.
User response
Problem determination
Source
z/OS® Communications
Server TCP/IP: IKE daemon
Module
IKEv2DomainOfInterpretation.cpp
Routing code
Descriptor code
Automation
This message is output to syslog
Example
EZD1787I Received unsupported IKEv2 traffic selector specification