Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
221222223224225226227228229230
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 7 219
src 15.1.1.1.
Enable a nettl level 4 trace using the command ipsec_admin -traceon
or get a line analyzer trace and verify that the packets are being sent and
received by the correct remote system. Check whether the remote IKE
entity is responding. IKE always uses UDP port 500 to receive and send
IKE packets.
IKE Primary Authentication Fails with Certificates
Problem
Certificate-based (RSA signature) primary authentication fails.
Symptoms
Output from the ipsec -sa ike command does not show the IKE SA.
The audit log contains a Phase 1 MM processing failed or Phase 1
AM processing failed error message.
Solution
Check the audit file for an expired certificate, revoked certificate, or
certificate encoding problems. Try preshared key authentication.
Run ipsec_config show certificate and check the local system’s
certificate.
Check for the /var/adm/ipsec/ipsec.key and
/var/adm/ipsec/ipsec.cert files.
Details
Check the audit log for messages indicating that the certificate for the
local or remote system is expired, revoked, or has X.509 encoding errors.
You can also try using preshared keys for primary authentication. You
will need to configure the same preshared key on both systems.
Check that you have a certificate for the remote system. As part of the
IKE dialog, the remote system should send its certificate to the local
system. The IKE daemon stores a copy of the certificate in
/var/adm/ipsec/ipsec.cert. Check that this file has not been deleted.
If the file has been deleted, either restore it from a backup or re-create it
using the ipsec_config add certificate command and the base64