HP-UX IPSec version A.02.00 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Procedures
Chapter 5162
• Queries the policy daemon and reports the active (configured UP or
DOWN, plumbed) IP interfaces, and whether or not HP-UX IPSec is
enabled for each interface. You can also do this by entering the
following command:
ipsec_report -ip
• Queries the kernel policy engine and reports the contents of its
cache. The cache records the most recent decisions that the kernel
policy engine has made for the traffic that has passed in and out of
the system. If there is no IPSec peer, the kernel policy engine still
reports decisions for packets that have been sent or received by the
system (including broadcast packets) by five-tuple (source IP
address, destination IP address, protocol, source port, destination
port) and the action taken—even if the action was to pass the packet
in clear text, according to the configuration. You can also do this by
entering the following command:
ipsec_report -cache
• Format and display the contents of the current audit file. You can
also do this by entering the following command:
ipsec_report -audit
audit_file
Isolating HP-UX IPSec Problems from Upper-layer
Problems
If you are unsure whether an application problem is being caused by
HP-UX IPSec, you can still enable layer 4 (TCP, UDP, IGMP) tracing.
This will capture outbound data packets before they are encrypted by
HP-UX IPSec and inbound packets after they are decrypted by HP-UX
IPSec.
Because layer 4 tracing provides a possible security breach, it is disabled
when HP-UX IPSec is started and can only be enabled using the
ipsec_admin utility, which requires root capability and the HP-UX
IPSec administrator password.
To enable layer 4 tracing, use the following command:
ipsec_admin -traceon [ tcp | udp | igmp | all ]
Tracing output will go to /var/adm/ipsec/nettl.TRC0 and
/var/adm/ipsec/nettl.TRC1 if nettl tracing is not already enabled. If
it is, the trace files will be those already in use by nettl.