HP-UX IPSec A.02.01.01 Release Notes for HP-UX 11i v1 | HP-UX 11i v2, Update 2

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Table 1 Fixes in HP-UX IPSec A.02.01.01 (continued)

DescriptionDefect ID

(JAGaf80092) IKE SA negotiations fail on HP-UX PA-RISC systems when using

certificate-based authentication with a Certificate Authority (CA) that generates Version 2

Certificate Revocation Lists (CRLs), such a Microsoft CA. The audit log will show messages

that include the following text:

ERROR...crypto_validate_and_insert_certificate, Error processing CERT

payload, and Phase 1 MM processing failed.

Resolution: Version 2 CRLs are now supported on PA-RISC systems.

SR: 8606420262

(JAGaf81929) Users get the message Failed to verify HP-UX IPSec password.

Did you set the password...when they enter an ipsec_config add csr

command with a long input string even though the password has been set.

Resolution: Fix the buffer boundary and initialize the memory area.

SR: 8606422105

(JAGaf81948) The ipsec_config add crl command returns the value 255 when it

succeeds.

Resolution: The ipsec_config add crl command now returns 0 when it is successful.

SR: 8606422124

(JAGaf79158) The ipsec_config command allows the user to configure an authentication

record for Aggressive Mode (AM) without remote ID type (rtype) and value (rid)

arguments. This causes IKE SA negotiations using the authentication record to fail. The

audit log shows the following message:

Phase 1 AM processing failed.

Resolution: The ipsec_config command now requires the rtype and rid arguments

when users add authentication records for AM.

SR: 8606419328

(JAGaf81885) The ipsec_config add csr command returns the following message

when the user does not specify a subject:

IPSEC_CONFIG: ERROR-system(/var/adm/ipsec_gui/lib/req

-nodes -batch... command failed, errno 0: "Error 0"

Arguments:

"add csr ..."

The ipsec_config add csr command now returns message telling the user that he

must specify a subject.

SR: 8606422061

(JAGaf81899) The ipsec_config add csr argument -key-length is incorrectly

documented as -key_length in the manpage and HP-UX IPSec Administrator's Guide.

Resolution: The ipsec_config add manpage is corrected in version A.02.01.01. The

Administrator's Guide will be corrected in the next release.

SR: 8606422075

(JAGag11863) The AUTOCONF feature (an option for peers that use autoconfiguration

methods to get IP addresses) was not working properly.

Resolution: The ipsec_config add host command now accepts the —AUTOCONF option

and the IPSec subsystem properly handles the option.

SR: 8606455304

(JAGag07497) If an IKE peer sent an encrypted Informational Exchange message in a Main

Mode exchange after keying material had been exchanged, the IKE daemon would not

decrypt the message and log the following error:

Event: Received an encrypted packet when crypto not active!

Resolution: The IKE daemon now decrypts and processes an encrypted Informational

Exchange message in Main Mode after keying material has been exchanged.

SR: 8606450432