HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

Troubleshooting HP-UX IPSec

Troubleshooting Scenarios

Chapter 5186

Symptoms

The administrator cannot get a certificate using ipsec_mgr. ipsec_mgr

shows no certificate entry or an incomplete entry. The audit file shows

the following error: Unable to obtain public/private key pair!

Solution

Check stdout for ipsec_mgr errors. Check the VeriSign Managed PKI

Control Center for a pending request or existing certificate. Check the

web proxy configuration (run ipsec_mgr, click on the Options menu,

select System, then select Proxy Information). You may need to reset

/var/adm/ipsec/cainfo.txt; remove

/var/adm/ipsec/javabeans.txt, /var/adm/ipsec/certs.txt; revoke

the old certificate, and restart the registration procedure.

Details

If you cannot get a VeriSign certificate or if you forget to retrieve the

certificate after you request it, ipsec_mgr may show a certificate entry

for the local system. However, if you click Details the entry will be

incomplete (there will be no information other than the IP address).

When you attempt to initiate an ISAKMP/MM SA, it will fail and you

will see errors similar to the following in the log file:

Msg: 201 From: IKMPD Lvl: ERROR Date: Mon Mar 11 16:19:39 2002

Event: Unable to obtain public/private key pair!

Msg: 202 From: IKMPD Lvl: ERROR Date Mon Mar 11 16:19:39 2002

Event: Process contruct error 0x1

Msg: 203 From IKMPD Lvl: ERROR Date Mon Mar 11 16:19:39 2002

Event: Main Mode processing failed

If ipsec_mgr has problems retrieving a VeriSign certificate, it will write

errors to the stdout device for ipsec_mgr (the device from which

ipsec_mgr was started). The ipsec_mgr does not log errors using the

HP-UX IPSec daemon.

If you request a VeriSign certificate using ipsec_mgr and ipsec_mgr

cannot retrieve the certificate (the Check on Request operation fails), it

is possible that the Managed PKI Administrator has not yet approved

your certificate request. Have the Managed PKI Administrator use the

VeriSign Managed PKI Control Center to check for pending requests. If

the Managed PKI Administrator did not receive a request for approval,

verify communication with the Managed PKI Control Center. If you are