IPSec dynamic tunnel activation and refresh record (subtype 75)

The IPSec dynamic tunnel activation record is collected whenever the IKE daemon successfully negotiates a dynamic tunnel and installs it in the TCP/IP stack. This record contains information about the characteristics of the dynamic tunnel that is to be negotiated. If you are using the IPSec NMI, the common IP tunnel section of this SMF record is analogous to the NMsecIPTunnel structure, the dynamic tunnel section is analogous to the NMsecIPDynTunnel structure, and the IKE dynamic tunnel section is analogous to the NMsecIPDynamicIKE structure.

See Table 1 for the contents of the TCP/IP stack identification section. For the IPSec dynamic tunnel activation record, the TCP/IP Stack identification section indicates IKE as the subcomponent and X'08' (event record) as the record reason.

Table 1 lists the contents of the IPSec dynamic tunnel activation record self-defining section.
Table 1. IPSec dynamic tunnel activation record self-defining section
Offset Name Length Format Description
0(X'0') SMF119_HDR 24 EBCDIC Standard SMF Header; subtype is 75(X'4B').
Self-defining section
24(X'18') SMF119SD_TRN 2 Binary Number of triplets in this record (6).
26(X'1A')   2 Binary Reserved
28(X'1C') SMF119IDOff 4 Binary Offset to TCP/IP identification section.
32(X'20') SMF119IDLen 2 Binary Length of TCP/IP identification section.
34(X'22') SMF119IDNum 2 Binary Number of TCP/IP identification sections.
36(X'24') SMF119S1Off 4 Binary Offset to common IP tunnel section.
40(X'28') SMF119S1Len 2 Binary Length of common IP tunnel section.
42(X'2A') SMF119S1Num 2 Binary Number of common IP tunnel sections.
44(X'2C') SMF119S2Off 4 Binary Offset to dynamic tunnel section.
48(X'30') SMF119S2Len 2 Binary Length of dynamic tunnel section.
50(X'32') SMF119S2Num 2 Binary Number of tunnel sections.
52(X'34') SMF119S3Off 4 Binary Offset to IKE dynamic tunnel sections.
56(X'38') SMF119S3Len 2 Binary Length of IKE dynamic tunnel section.
58(X'3A') SMF119S3Num 2 Binary Number of IKE dynamic tunnel sections.
60(X'3C') SMF119S4Off 4 Binary Offset to local client ID section.
64(X'40') SMF119S4Len 2 Binary Length of local client ID section.
66(X'42') SMF119S4Num 2 Binary Number of local client ID sections.
68(X'44') SMF119S5Off 4 Binary Offset to remote client ID sections.
72(X'48') SMF119S5Len 2 Binary Length of remote client ID section.
74(X'5A') SMF119S5Num 2 Binary Number of remote client ID sections.

Table 2 lists the IPSec common IP tunnel specific section.

Table 2. IPSec common IP tunnel specific section
Offset Name Ln. Format Description
0(X'0') SMF119IS_IPTunID 48 EBCDIC Tunnel ID
48x'30') SMF119IS_IPTunVPNAction 48 EBCDIC Tunnel VPN action name
96(X'60')   4 Binary IP tunnel flags.

The following list identifies the bits, their names, and meaning.

  • X'80000000', SMF119IS_IPTunFlagIPv6: IPv6 indicator. If set, security endpoint addresses and data endpoint addresses are IPv6; otherwise, they are IPv4.
  • X'40000000', SMF119IS_IPTunFIPS140: FIPS 140 mode indicator. If this field is set, cryptographic operations for this tunnel are performed using cryptographic algorithms and modules that are designed to meet the FIPS 140 requirements; otherwise, cryptographic algorithms and modules that do not meet the FIPS 140 requirements might be used.
  • All remaining bits: Reserved
100(X'64') SMF119IS_IPTunType 1 Binary Tunnel type. One of the following values:
  • SMF119IS_IPTUN_MANUAL (1)

    Manual IP tunnel

  • SMF119IS_IPTUN_STACK (2)

    Dynamic IP tunnel, as seen by TCP/IP stack

  • SMF119IS_IPTUN_IKE (3)

    Dynamic IP tunnel, as seen by IKE
101(X'65') SMF119IS_IPTunState 1 Binary One of the following tunnel states:
  • SMF119IS_SASTATE_DEACT(1) Dynamic tunnel is deactivated. This value is valid only on record subtypes 76 and 78.
  • SMF119IS_SASTATE_ACTIVE (2) Manual or dynamic tunnel is active. This value is valid only on record subtype 75.
  • SMF119IS_SASTATE_EXPIRED (3) Dynamic tunnel is expired. This value is valid only on record subtype 78.
102(X'66') SMF119IS_IPTunRsvd2 2 Binary Reserved
104(X'68') SMF119IS_IPTunLclEndpt4 4 Binary One of the following values:
  • If SMF119IS_IPTunFlagIPv6 is set, this field is the 16–byte IPv6 local security endpoint address.
  • If SMF119IS_IPTunFlagIPv6 is clear, this field is the 4–byte IPv4 local security endpoint address.
104(X'68') SMF119IS_IPTunLclEndpt6 16 Binary One of the following values:
  • If SMF119IS_IPTunFlagIPv6 is set, this field is the 16–byte IPv6 local security endpoint address.
  • If SMF119IS_IPTunFlagIPv6 is clear, this field is the 4–byte IPv4 local security endpoint address.
120(X'78') SMF119IS_IPTunRmtEndpt4 4 Binary One of the following values:
  • If SMF119IS_IPTunFlagIPv6 is set, this field is the 16–byte IPv6 remote security endpoint address.
  • If SMF119IS_IPTunFlagIPv6 is clear this field is the 4 byte IPv4 remote security endpoint address.
120(X'78') SMF119IS_IPTunRmtEndpt6 16 Binary One of the following values:
  • If SMF119IS_IPTunFlagIPv6 is set, this field is the 16–byte IPv6 remote security endpoint address.
  • If SMF119IS_IPTunFlagIPv6 is clear this field is the 4 byte IPv4 remote security endpoint address.
136(X'88') SMF119IS_IPTunEncapMode 1 Binary One of the following tunnel encapsulation modes:
  • SMF119IS_IPTUN_TUNNELMODE (1)
  • SMF119IS_IPTUN_TRANSPORTMODE (2)
137(X'89') SMF119IS_IPTunAuthProto 1 Binary One of the following tunnel authentication protocols:
  • IPPROTO_AH (51)
  • IPPROTO_ESP (50)
138(X'8A') SMF119IS_IPTunAuthAlg 1 Binary One of the following tunnel authentication alogorithms:
  • SMF119IS_AUTH_NULL (0)

    The tunnel uses NULL authentication, or obtains authentication using a combined-mode encryption algorithm (see SMF119IS_IPTunEncryptAlg).

  • SMF119IS_AUTH_HMAC_MD5(38)

    The tunnel uses HMAC-MD5 authentication with Integrity Check Value (ICV) truncation to 96 bits.

  • SMF119IS_AUTH_HMAC_SHA1(39)

    The tunnel uses HMAC-SHA1 authentication with ICV truncation to 96 bits.

  • SMF119IS_AUTH_HMAC_SHA2_256_128 (7)

    The tunnel uses HMAC-SHA2-256 authentication with ICV truncation to 128 bits.

  • SMF119IS_AUTH_HMAC_SHA2_384_192 (13)

    The tunnel uses HMAC-SHA2-384 authentication with ICV truncation to 192 bits.

  • SMF119IS_AUTH_HMAC_SHA2_512_256 (14)

    The tunnel uses HMAC-SHA2-512 authentication with ICV truncation to 256 bits.

  • SMF119IS_AUTH_AES128_XCBC_96 (9)

    The tunnel uses AES128-XCBC authentication with ICV truncation to 96 bits.

  • SMF119IS_AUTH_AES_GMAC_128 (4)

    The tunnel uses AES-GMAC authentication with a key length of 128 bits.

  • SMF119IS_AUTH_AES_GMAC_256 (6)

    The tunnel uses AES-GMAC authentication with a key length of 256 bits.
139(X'8B') SMF119IS_IPTunEncryptAlg 1 Binary One of the following tunnel encryption algorithms:
  • SMF119IS_ENCR_NONE (0)
  • SMF119IS_ENCR_NULL (11)
  • SMF119IS_ENCR_DES (18)
  • SMF119IS_ENCR_3DES (3)
  • SMF119IS_ENCR_AES_CBC (12)

    AES encryption algorithm in Cipher Block Chaining (CBC) mode. See also SMF119IS_IPTunEncryptKeyLength which identifies the key length in use.

  • SMF119IS_ENCR_AES_GCM_16 (20)

    AES encryption algorithm in Galois/Counter Mode (GCM) using a 16-octet IV. See SMF119IS_IPTunEncryptKeyLength; it identifies the key length in use.
140(X'8C') SMF119IS_IPTunInbAuthSPI 4 Binary Tunnel inbound authentication SPI.
144(X'90') SMF119IS_IPTunOutbAuthSPI 4 Binary Tunnel outbound authentication SPI.
148(X'94') SMF119IS_IPTunInbEncryptSPI 4 Binary Tunnel inbound encryption SPI.
152(X'98') SMF119IS_IPTunOutbEncryptSPI 4 Binary Tunnel outbound encryption SPI.
156(X'9C') SMF119IS_IPTunStartTime 4 Binary Indicates the tunnel start time at which the tunnel was activated or refreshed, in UNIX format.
160(X'A0') SMF119IS_IPTunEncryptKeyLength 4 Binary Encryption key length for variable-length algorithms, in bits. Zero for encryption algorithms that have a fixed key length (such as DES and 3DES) and nonzero for encryption algorithms that have a variable key length (such as AES-CBC and AES-GCM).
Result: Example values are 128 and 256.

Table 3 lists the IPSec dynamic tunnel specific section.

Table 3. IPSec dynamic tunnel specific section
Offset Name Length Format Description
0(X'0')   4 Binary

The following list identifies the bits, their names, and meaning.

  • X'80000000', SMF119IS_IPDynUDPEncap: UDP encapsulation indicator. The tunnel uses UDP encapsulation mode.
  • X'40000000', SMF119IS_IPDynLclNAT: Local NAT indicator. A NAT has been detected in front of the local security endpoint.
  • X'20000000', SMF119IS_IPDynRmtNAT: Remote NAT indicator. A NAT has been detected in front of the remote security endpoint.
  • X'10000000', SMF119IS_IPDynRmtNAPT: Remote NAPT indicator. An NAPT has been detected in front of the remote security endpoint.
    Result: Some NAPTs might be undetected. In that case, the SMF119IS_IKETunRmtNAT bit is set, but this bit is not set.
  • X'08000000', SMF119IS_IPDynRmtGW: Remote NAT traversal gateway indicator. The tunnel uses UDP encapsulation and the remote security endpoint is acting as an IPSec gateway.
0(X'0') Cont.   Cont. Cont. One of the following values:
  • X'04000000', SMF119IS_IPDynRmtZOS: Remote z/OS® indicator. The remote peer has been detected to be z/OS. The remote peer might be running z/OS but it might not be detected as such, if NAT traversal is not enabled.
  • X'02000000', SMF119IS_IPDynCanInitP2: Dynamic tunnel (P2) initiation indicator. If set, the local security endpoint can initiate dynamic tunnel negotiations with the remote security endpoint; otherwise, the remote security endpoint must initiate dynamic tunnel negotiations. Either side can initiate refreshes.
  • X'01000000', SMF119IS_IPDynSrcIsSingle: Single source address indicator. Traffic source address is indicated by the SMF119IS_IPDynSrcAddr4 or SMF119IS_IPDynSrcAddr6 fields.
  • X'00800000', SMF119IS_IPDynSrcIsPrefix: Prefixed source address indicator. Traffic source address is indicated by the SMF119IS_IPDynSrcAddr4 or SMF119IS_IPDynSrcAddr6, fields and the source address prefix is indicated by the SMF119IS_IPDynSrcAddrPrefix field.
  • X'00400000', SMF119IS_IPDynSrcIsRange: Ranged source address indicator. Traffic source address range is indicated by the SMF119IS_IPDynSrcAddr4 and SMF119IS_IPDynSrcAddrRange4 fields, or by the SMF119IS_IPDynSrcAddr6 and SMF119IS_IPDynSrcAddrRange6 fields.
  • X'00200000', SMF119IS_IPDynDstIsSingle: Single destination address indicator. Traffic destination address is indicated by the SMF119IS_IPDynDstAddr4 or SMF119IS_IPDynDstAddr6 fields.
0(X'0') Cont   Cont. Cont. One of the following values:
  • X'000100000', SMF119IS_IPDynDstIsPrefix:Prefixed destination address indicator. Traffic destination address is indicated by the SMF119IS_IPDynDstAddr4 or SMF119IS_IPDynDstAddr6 fields, and destination address prefix is indicated by the SMF119IS_IPDynDstAddrPrefix field.
  • X'00080000', SMF119IS_IPDynDstIsRange: Ranged destination address indicator. Traffic destination address range is indicated by the SMF119IS_IPDynDstAddr4 and SMF119IS_IPDynDstAddrRange4 fields, or by the SMF119IS_IPDynDstAddr6 and SMF119IS_IPDynDstAddrRange6 field.
  • X'00040000', SMF119IS_IPDynTransportOpaque: Opaque transport selector indicator. If set, the dynamic tunnel is protecting data traffic where the upper layer selectors, source and destination ports, ICMP or ICMPv6 type and code or IPv6 Mobility header type are not available as a result of fragmentation.
  • All remaining bits: Reserved
4(X'4') SMF119IS_IPDynVPNRule 48 EBCDIC Dynamic VPN rule name for this tunnel. This field is blank if there is no local dynamic VPN rule.
52(X'34') SMF119IS_IPDynP1TunnelID 48 EBCDIC Tunnel ID for this tunnel's parent IKE (phase 1) tunnel. As a result of refreshes, this tunnel ID might represent multiple related IKE tunnels.
100(X'64') SMF119IS_IPDynLifesize 8 Binary Tunnel lifesize. Nonzero values indicate the lifesize value limit for the tunnel, in bytes.
108(X'6C') SMF119IS_IPDynLifesizeRefresh 8 Binary Tunnel lifesize refresh. Nonzero values indicate the lifesize value at which the tunnel is refreshed, in bytes.
116(X'74') SMF119IS_IPDynLifetimeExpire 4 Binary Tunnel lifetime. Indicates the time at which the tunnel expires, in UNIX format.
120(X'78') SMF119IS_IPDynLifetimeRefresh 4 Binary Tunnel lifetime refresh. Indicates the time at which the tunnel is refreshed, in UNIX format.
124(X'7C') SMF119IS_IPDynVPNLifeExpire 4 Binary Tunnel VPN lifetime expire. Nonzero values indicate the time at which the tunnel family ceases to be refreshed, in UNIX format.

This field retains its original value for a refreshed tunnel.
128(X'80') SMF119IS_IPDynActMethod 1 Binary One of the following tunnel activation methods:
  • SMF119IS_DYNTUN_USER (1): User activation (from the command line).
  • SMF119IS_DYNTUN_REMOTE (2): Remote activation from IPSec peer.
  • SMF119IS_DYNTUN_ONDEMAND (3): On-demand activation caused by IP traffic.
  • SMF119IS_DYNTUN_TAKEOVER (5): SWSA activation as a result of a DVIPA takeover.
  • SMF119IS_DYNTUN_AUTOACT (6): Auto-activation

This field retains its original value for a refreshed tunnel.
129(X'81') SMF119IS_IPDynRsvd2 3 Binary Reserved bits
132(X'84') SMF119IS_IPDynRmtUDPPort 2 Binary If the tunnel uses UDP encapsulation mode, this value is the IKE UDP port of the remote security endpoint; otherwise, the value is 0.
134(X'86') SMF119IS_IPDynRsvd3 2 Binary Reserved bits
136(X'88') SMF119IS_IPDynSrcNATOA 4 Binary Source NAT original IP address. NAT original IP addresses are exchanged only for certain UDP-encapsulated tunnels. During NAT traversal negotiations, the IKE peer sends the source IP address that it is aware of.

If NAT traversal negotiation did not occur or if an IKEv1 peer did not send a source NAT-OA payload, the value of this field is 0.

Restriction: An IKEv1 peer at a pre-RFC3947 NAT traversal support level cannot send a source NAT-OA payload.
140(X'8C') SMF119IS_IPDynDstNATOA 4 Binary Destination NAT original IP address. NAT original IP addresses are exchanged only for certain UDP-encapsulated tunnels. During NAT traversal negotiations, the IKE peer sends the destination IP address that it is aware of.

If NAT traversal negotiation did not occur or if an IKEv1 peer did not send a source NAT-OA payload, the value of this field is 0.

Restriction: An IKEv1 peer at a pre-RFC3947 NAT traversal support level cannot send a source NAT-OA payload.
144(X'90') SMF119IS_IPDynProtocol 1 Binary Protocol for tunnel data. If the value is 0, the tunnel includes all protocols.
145(X'91') SMF119IS_IPDynRsvd4 3 Binary Reserved bits
148(X'94') SMF119IS_IPDynSrcPort 2 Binary Low end of source port range for tunnel data or 0 if the tunnel is not limited to TCP or UDP.
150(X'96') SMF119IS_IPDynDstPort 2 Binary Low end of destination port range for tunnel data, or 0 if the tunnel is not limited to TCP or UDP.
152(X'98') SMF119IS_IPDynSrcAddr4 4 Binary One of the following values:
  • If the SMF119IS_IPDynSrcIsSingle field is set, this field is the IPv4 or IPv6 source address for tunnel data.
  • If the SMF119IS_IPDynSrcIsPrefix field is set, this field is the IPv4 or IPv6 source address base for tunnel data.
  • If the SMF119IS_IPDynSrcIsRange field is set, this field is the low end of the IPv4 or IPv6 source address range for tunnel data.
152(X'98') SMF119IS_IPDynSrcAddr6 16 Binary One of the following values:
  • If SMF119IS_IPTunFlagIPv6 is set, this field is the 16–byte IPv6 local security endpoint address.
  • If SMF119IS_IPTunFlagIPv6 is clear, this field is the 4–byte IPv4 local security endpoint address.
168(X'A8') SMF119IS_IPDynSrcAddrRange4 4 Binary If the SMF119IS_IPDynSrcIsRange field is set, this field is the highest address in the range of the IPv4 or IPv6 source addresses tunnel data.
168(X'A8') SMF119IS_IPDynSrcAddrRange6 16 Binary If the SMF119IS_IPDynSrcIsRange field is set, this field is the highest address in the range of the IPv4 or IPv6 source addresses tunnel data.
184(X'B8') SMF119IS_IPDynDstAddr4 4 Binary One of the following values:
  • If the SMF119IS_IPDynDstIsSingle field is set, this field is the IPv4 or IPv6 destination address for tunnel data.
  • If the SMF119IS_IPDynDstIsPrefix field is set, this field is the IPv4 or IPv6 destination address base for tunnel data.
  • If the SMF119IS_IPDynDstIsRange field is set, this field is the lowest IPv4 or IPv6 destination address in the range for tunnel data.
184(X'B8') SMF119IS_IPDynDstAddr6 16 Binary One of the following values:
  • If the SMF119IS_IPDynDstIsSingle field is set, this field is the IPv4 or IPv6 destination address for tunnel data.
  • If the SMF119IS_IPDynDstIsPrefix field is set, this field is the IPv4 or IPv6 destination address base for tunnel data.
  • If the SMF119IS_IPDynDstIsRange field is set, this field is the lowest IPv4 or IPv6 destination address in the range for tunnel data.
200(X'C8') SMF119IS_IPDynDstAddrRange4 4 Binary If the SMF119IS_IPDynDstIsRange field is set, this field is the highest IPv4 or IPv6 destination address in the range range for tunnel data.
200(X'C8') SMF119IS_IPDynDstAddrRange6 16 Binary If the SMF119IS_IPDynDstIsRange field is set, this field is the highest IPv4 or IPv6 destination address in the range range for tunnel data.
216(X'D8') SMF119IS_IPDynSrcAddrPrefix 1 Binary If the SMF119IS_IPDynSrcIsPrefix field is set, this field is the length of the tunnel data source address prefix in bits.
217(X'D9') SMF119IS_IPDynDstAddrPrefix 1 Binary If the SMF119IS_IPDynDstIsPrefix field is set, this field is the length of the tunnel data destination address prefix in bits.
218(X'DA') SMF119IS_IPDynMajorVer 1 Binary Major version of the IKE protocol in use. Only the low-order 4 bits are used.
219(X'DB') SMF119IS_IPDynMinorVer 1 Binary Minor version of the IKE protocol in use. Only the low-order 4 bits are used.
220(X'DC') SMF119IS_IPDynType 1 Binary Low end of ICMP, ICMPv6, or MIPv6 type range for tunnel data; otherwise, this value is 0 if the tunnel is not limited to ICMP, ICMPv6, or MIPv6.
221(X'DD') SMF119IS_IPDynTypeRange 1 Binary High end of ICMP, ICMPv6, or MIPv6 type range for tunnel data; otherwise this value is 0 if the tunnel is not limited to ICMP, ICMPv6, or MIPv6. A tunnel applying to all type values is indicated as a value in the range 0- 255.
222(X'DE') SMF119IS_IPDynCode 1 Binary Low end of ICMP or ICMPv6 code range for tunnel data; otherwise this value is 0 if the tunnel is not limited to ICMP or ICMPv6.
223(X'DF') SMF119IS_IPDynCodeRange 1 Binary High end of ICMP or ICMPv6 code range for tunnel data; otherwise, this value is 0 if the tunnel is not limited to ICMP or ICMPv6. A tunnel applying to all code values is indicated as a value in the range 0 - 255.
224(X'E0') SMF119IS_IPDynSrcPortRange 2 Binary High end of source port range for tunnel data; otherwise this value is 0 if the tunnel is not limited to TCP or UDP. A tunnel applying to all source port values is indicated as a value in the range 0- 65 535.
226(X'E2') SMF119IS_IPDynDstPortRange 2 Binary High end of destination port range for tunnel data, or 0 if the tunnel is not limited to TCP or UDP. A tunnel applying to all destination port values is indicated as a value in the range 0 - 65 535.
228(X'E4') SMF119IS_IPDynGeneration 4 Binary Tunnel generation number. The first dynamic tunnel with a particular tunnel ID has generation 1. Subsequent refreshes of this dynamic tunnel have the same tunnel ID but higher generation numbers.

Table 4 lists the IPSec IKE dynamic tunnel specific section.

Table 4. IPSec IKE dynamic tunnel specific section
Offset Name Length Format Description
0(X'0') SMF119IS_IPDynIKERsvd1 4 Binary Reserved bits.
4(X'4') SMF119IS_IPDynIKEFilter 48 EBCDIC Filter name for the IP filter related to this dynamic tunnel.
52(X'34') SMF119IS_IPDynIKEDHGroup 4 Binary Diffie-Hellman group used for PFS for this dynamic tunnel, or 0 if phase 2 PFS is not configured.
56(X'38') SMF119IS_IPDynIKELclIDType 1 Binary ISAKMP identity type for the local client ID, as defined in RFC 2407. Client identities can be exchanged during negotiation to limit or define the scope of data protected by the tunnel. If client identities are not exchanged, then the scope of data protection is defined to include the peers' tunnel endpoint addresses.

If client identities were not exchanged during negotiation, this field is 0.
57(X'39') SMF119IS_IPDynIKERmtIDType 1 Binary ISAKMP identity type for the remote client ID, as defined in RFC 2407. Client identities might be exchanged during negotiation to limit or define the scope of data protected by the tunnel. If client identities are not exchanged, then the scope of data protection is defined to include the peers' tunnel endpoint addresses.

If client identities were not exchanged during negotiation, this field is 0.
58(X'3A') SMF119IS_IPDynIKEExtState 2 Binary One of the following extended tunnel state information types:
  • SMF119IS_EXTSASTATE_ACTIVATE (1): This is a new Phase 2 activation. This value is valid only on record subtype 75.
  • SMF119IS_EXTSASTATE_REFRESH (2): This is a Phase 2 refresh. This value is valid only on record subtype 75.
  • SMF119IS_EXTSASTATE_DEACT (3): This tunnel is deactivated (not caused by an error or negotiation failure). This value is valid only on record subtype 76.
The following values are valid only on record subtype 76:
  • SMF119IS_EXTSASTATE_PROPOSAL (4): Negotiation failure. No proposal matched the current policy.
  • SMF119IS_EXTSASTATE_RETRANS (5): Negotiation failure. A retransmit limit was exceeded while negotiating this tunnel.
  • SMF119IS_EXTSASTATE_POLICY (6): Negotiation failure. A policy mismatch other than a proposal mismatch occured. For example, no valid IpFilterRule.
  • SMF119IS_EXTSASTATE_OTHER (7): Negotiation failure. The data is not valid in an ISAKMP packet or internal error.
  • SMF119IS_EXTSASTATE_NOINS (8): A stack error prevented this phase 2 SA from being installed.

Table 5 lists the IPSec local client ID specific section.

Table 5. IPSec local client ID specific section
Offset Name Length Format Description
0(X'0') SMF119IS_LocalClientID n EBCDIC The local client ID for this tunnel's phase 2 negotiation. Regardless of the identity's type, the ID is expressed as an EBCDIC string (an IP address is returned in printable form).

Table 6 lists the IPSec remote client ID specific section.

Table 6. IPSec remote client ID specific section
Offset Name Length Format Description
0(X'0') SMF119IS_RemoteClientID n EBCDIC The remote client ID for this tunnel's phase 2 negotiation. Regardless of the identity's type, the ID is expressed as an EBCDIC string (an IP address is returned in printable form).