HP-UX IPSec version A.02.00 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 5 179
The audit file may show errors when HP-UX IPSec starts or when a
manual key is added such as PF_KEY: SADB_ADD for SPI 0x
nnnn
returns EEXIST and PF_KEY: Invalid SADB_ADD, SPI 0x
nnnn
,
errno 22.
If the HP-UX IPSec audit level is set to warning or higher, the audit file
may show entries such as No SPI for received packet.
STREAMS log records may show entries from HP-UX IPSec STREAMS
modules (ipsec_
aaaa
), such as Bad cipher SA init or Padding
checks failed.
Solution
Check the manual key configuration. Check that the local inbound SA
descriptor (SPI, transform type, authentication key, encryption key, and
initialization vector) matches the remote outbound SA descriptor (on
the remote system). Check that the local outbound SA descriptor
matches the remote inbound SA descriptor (on the remote system).
SADB_ADD for SPI 0x
nnnn
returns EEXIST If the audit file contains
an error message similar to the one below, you are attempting to add a
manual key with an SPI that is already allocated:
Msg: 178 From: SECPOLICYD Lvl: ERROR Date: Thu Jun 24
09:45:17 2004
Event: PF_KEY: SADB_ADD for SPI 0x201 returns EEXIST
In the above example, the user tried to add a manual key with inbound
SPI 513 (0x201). The secure policy daemon had already allocated
inbound SPI 513 for a dynamic key SA, and when the daemon received
the request to add the manual key SA with the same SPI, it logged the
above error and did not add the manual key SA.
Change the manual key SPI. Verify that the SPIs are unique and are not
within the range for dynamic key SPI numbers. The default range for
dynamic key SPI numbers is 300 - 2500000. Refer to the ipsec_config
(1M) manpage for more information on changing the dynamic key SPI
range.
Invalid SADB_ADD
If the audit file contains the error message similar to the one below,
HP-UX IPSec may be rejecting a DES or 3DES encryption key because it
is too weak (not sufficiently random):