HP-UX IPSec version A.02.00 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 5 177
Check for the /var/adm/ipsec/javabeans.txt (VeriSign) or
/var/adm/ipsec/.Bsec file (Baltimore).
Details
Check the audit log for messages indicating that the certificate for the
local or remote system has expired, has been revoked, or has X.509
encoding errors.
You can also try using preshared keys for primary authentication. You
will need to configure the same preshared key on both systems.
Check that you have a certificate for the remote system. As part of the
IKE dialog, the remote system should send its certificate to the local
system. The IKE daemon stores a copy of the certificate in
/var/adm/ipsec/certs.txt (VeriSign) or /var/adm/ipsec/.Bcerts
(Baltimore). However, these files are encrypted and can only be viewed
with ipsec_mgr. Check the expiration date for the local and remote
system certificates.
Check that the /var/adm/ipsec/javabeans.txt file (VeriSign) or the
/var/adm/ipsec/.Bsec file (Baltimore) has not been deleted. If the
applicable file has been deleted, either restore it from a backup or
recreate it by re-importing the certificate.
For VeriSign, check that the entry in the certs.txt file for the local system
is complete by using ipsec_mgr to examine the certificates in detail. If
you have requested a VeriSign certificate but have not completed the
process of importing the certificate into IPSec, you will find an entry in
the /var/adm/ipsec/certs.txt or /var/adm/ipsec/.Bcerts file for
the local system, but there will be no certificate.
ISAKMP/MM SA Negotiation Succeeded, IPSec/QM SA
Negotiation Fails (Quick Mode processing failed, QM
negotiation timeout)
Problem
ISAKMP/MM SA negotiation succeeded, the ISAKMP/MM SA was
established, but the IPSec/QM SA negotiation failed.