HP-UX IPSec version A.02.01 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 7218
• (Primary) Authentication Method
• Authentication Algorithm
• Encryption Algorithm
• The preshared key value, if you are using preshared key
authentication. On HP-UX systems, this is configured using the
ipsec_config add auth command, and must be an ASCII value.
The ipsec_config command does not allow spaces, and any double
quote marks in the command are added to the key value.
The audit message Phase 1 negotiation timed out may indicate a
connectivity problem with the remote system. If you get this message on
the IKE initiator, this may indicate a negotiation failure. See “IKE SA
Negotiation Times Out (Phase 1 Negotiation timed out)” on page 218.
IKE SA Negotiation Times Out (Phase 1 Negotiation
timed out)
Problem
IKE SA negotiation times out.
Symptoms
The output from ipsec_report -sa ike output does not show the IKE
SA. The audit log contains the error Phase 1 negotiation timed out.
Solution
The audit message Phase 1 negotiation timed out may indicate a
connectivity problem with the remote system. If you get this message on
the IKE initiator, it may also indicate that the initiator sent an
unacceptable SA proposal. HP-UX and other IKE responders will not
respond if the initiator sends an unacceptable SA proposal.
Check that the responder is receiving the IKE messages from the
initiator. If the audit level is set to informative on the responder, the
audit file will contain a message similar to the following if it is receiving
the initial IKE negotiation message:
Msg: 624 From: IKMPD Lvl: INFORMATIVE Date: Fri Sep 9
14:15:14 2005
Event: Starting phase 1 MM negotiation as Responder with