HP-UX IPSec version A.02.01 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 7220
certificate files from the CA. Use the ipsec_config show cert
command to check the expiration date for the local and remote system
certificates.
Check that the /var/adm/ipsec/ipsec.key file has not been deleted. If
the file has been deleted, and you cannot restore from backup, you must
create a new Certificate Signing Request and get a new certificate.
IPsec SA Negotiation Fails (Quick Mode processing
failed, QM negotiation timeout)
Problem
The IKE SA was established, but the IPsec SA negotiation failed.
Symptoms
Output from the ipsec_report -sa command shows an IKE SA but
does not show IPsec SAs, and the audit log contains Quick Mode
processing failed or QM negotiation timeout error messages.
Solution
Check the audit file on the responder for additional errors. For example,
the following audit file entries indicate that the responder rejected the
IPSec SA negotiation because the initiator proposed an ESP AES
transform that was not acceptable (not configured) on the responder:
Msg: 668 From: IKMPD Lvl: ERROR Date: Fri Sep 9 14:08:10
2005
Event: Rejected Transform ID: ESP_AES
Msg: 669 From: IKMPD Lvl: ERROR Date: Fri Sep 9 14:08:10
2005
Event: Error processing SA payload
Msg: 670 From: IKMPD Lvl: ERROR Date: Fri Sep 9 14:08:10
2005
Event: Quick Mode processing failed (mess ID 0xd25acd3f)
Run ipsec_policy to determine the IPsec policy that HP-UX IPSec is
using, or execute the ipsec_report -cache and ipsec_report -host
commands.