HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

Troubleshooting Procedures

This section describes the following troubleshooting procedures:

• “Checking Status” (page 145)

• “Isolating HP-UX IPSec Problems from Upper-layer Problems” (page 146)

• “Checking Policy Configuration” (page 146)

• “Isolating HP-UX IPSec Problems from Upper-layer Problems” (page 146)

• “Checking Policy Configuration” (page 146)

• “Configuring HP-UX IPSec Auditing” (page 147)

Checking Status

HP-UX IPSec has five main modules:

• IKE (ISAKMP/Oakley) daemon (ikmpd )

• Policy daemon (secpolicyd )

• Audit daemon (secauditd )

• Kernel Policy engine

• Kernel Security Association engine

The following command verifies the status of these modules:

ipsec_admin -status

This command sends status check messages to the IPsec daemons and checks kernel parameters

to see if the kernel IPsec components are enabled.

You can also use the following command to get status information:

ipsec_report -all [-file filename ]

This command will show some HP-UX IPSec activity even if there is no peer system running

HP-UX IPSec. The -file option saves the output to the specified filename. This command

performs the following tasks:

• Queries the kernel Security Association (SA) engine for active IPsec SAs on this system. If

there is no peer IPsec system and/or no active IPsec SAs, the kernel SA engine will respond

that there are no IPsec SAs to report. You can also do this by entering the command:

ipsec_report -sa ipsec

• Queries the IKE daemon for IKE SAs. If there is no peer IPsec system or no IPsec traffic, the

IKE daemon will respond that there are no IKE SAs to report. You can also do this by entering

the following command:

ipsec_report -sa ike

• Queries the IKE daemon and reports the IKE policies. You can also do this by entering the

following command:

ipsec_report -ike

• Queries the policy daemon and reports the configured host IPsec policies. You can also do

this by entering the following command:

ipsec_report -host configured

• Queries the policy daemon and reports the active host IPsec policies. To create the list of

active host IPsec policies, the policy daemon expands configured host IPsec policies with

wildcard and subnet specifications for the active IP interfaces (configured UP or DOWN ,

plumbed) on the local system. The policy daemon also creates active host IPsec policies as

needed for active traffic by expanding remote IP address specifications and any other

wildcard field values. You can also do this by entering the following command:

ipsec_report -host [active]

Troubleshooting Procedures 145