HP-UX IPSec version A.02.01 Administrator's Guide
Troubleshooting HP-UX IPSec
Troubleshooting Scenarios
Chapter 7222
In the above example, the user tried to add a manual key with inbound
SPI 513 (0x201). The secure policy daemon had already allocated
inbound SPI 513 for a dynamic key SA, and when the daemon received
the request to add the manual key SA with the same SPI, it logged the
above error and did not add the manual key SA.
Change the manual key SPI. Verify that the SPIs are unique and are not
within the range for dynamic key SPI numbers. The default range for
dynamic key SPI numbers is 300 - 2500000. Refer to the ipsec_config
(1M) manpage for more information on changing the dynamic key SPI
range.
Invalid SADB_ADD
If the audit file contains the error message similar to the one below,
HP-UX IPSec may be rejecting a DES or 3DES encryption key because it
is too weak (not sufficiently random):
PF_KEY: Invalid SADB_ADD, SPI 0x
nnnn
, errno 22
Verify that the SPI number in the audit message matches a manual key
SPI. Examine the STREAMS log messages to verify that the error is
caused by a weak encryption key, as described in “Examining STREAMS
Logging Records” on page 222. See Chapter F, “Selecting Encryption
Keys” on page 287 for information on generating strong encryption keys.
STREAMS Logging Messages and Additional Audit File Entries
In most cases, little information is logged when manual keys fail because
there is no IKE or IPsec SA negotiation. The ipsec_report -sa ipsec
and ipsec_report -host active output show the SAs when the SA
information is added to the runtime database, even if the SAs are not
acceptable to the remote system. To view additional data that may
include information about manual key SAs, use the following procedures
to examine the STREAMS logging records and additional audit file
entries.
Examining STREAMS Logging Records You can use the strace
utility to view STREAMS log records, or use the following procedure to
examine the nettl log file for entries logged by the HP-UX IPSec
STREAMS modules.
1. Execute the following command to determine the current nettl log
file (the default is /var/adm/nettl.LOG000) and the current log
classes for the STREAMS subsystem: