Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
221222223224225226227228229230
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 7 217
Msg: 413 From: IKMPD Lvl: ERROR Date: Fri Mar 15 07:14:18
2002
Event: Phase 1 negotiation timed out, src 15.2.2.2
If there is a mismatch in IKE policies, some IKE daemons do not respond
to negotiation attempts. This causes a MM negotiation timeout error
on the connecting system.
IKE SA Negotiation Fails (Phase 1 MM processing
failed, Phase 1 AM processing failed)
Problem
IKE SA negotiation fails.
Symptoms
The output from ipsec_report -sa ike output does not show the IKE
SA. On the IKE responder, the audit log contains a Phase 1 MM
processing failed if Main Mode was used, or Phase 1 AM processing
failed error if Aggressive Mode was used. On the IKE initiator, the
audit log may contain a Phase 1 negotiation timed out error.
Solution
Check the audit file for more information about the error and other error
entries. The audit file on the IKE responder typically shows more error
information. For example, the following audit file entry indicates that
the responder rejected the IKE negotiation because the initiator
proposed an Oakley group that is not acceptable to the responder:
Msg: 605 From: IKMPD Lvl: ERROR Date: Fri Sep 9 14:23:13
2005
Event: atts GROUP_DESC:Alternate 1024-bit MODP group is
not acceptable
Check the IKE policy parameters against the parameters configured on
the remote system:
Run the following command:
ipsec_policy (determine the IKE policy)
Group (Oakley or Diffie-Hellman group)