HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

max_size is the maximum size for each audit file, in kilobytes. The default is 100 kilobytes.

When you modify startup parameters in the configuration database, the changes do not take

effect until the next time HP-UX IPSec starts.

The startup configuration object includes other operating parameters. Any parameters you do

not specify are reset to the default values, including the autoboot flag, which determines if HP-UX

IPSec starts automatically at system startup time. To configure HP-UX IPSec to start automatically

at system startup time, include the option -autoboot ON in the ipsec_config add startup

command.

Viewing Audit Files

You must use the ipsec_report utility to view audit files. First, determine the current audit

file: ipsec_admin -status

Then use the -audit option of ipsec_report to display the file:

ipsec_report -audit audit_file

Filtering Audit File Output by Entity

You can filter the audit file output so ipsec_report shows only entries recorded by specified

entities.

ipsec_report -audit audit_file -entity entity_name

[entity_name ...]

where entity_name is one of the following names:

ikmpd

ipsec_admin

ipsec_config

ipsec_policy

ipsec_report

secauditd

secpolicyd

TIP: When troubleshooting problems with establishing SAs, set the audit level to informative.

If you know which policy HP-UX IPSec is using, you can specify -entity ikmpd when

displaying the audit file contents to view only the IKE audit entries.

Troubleshooting Tips

This section contains troubleshooting tips.

• Use the ipsec_report -sa command to determine if HP-UX IPSec is creating the IKE

and IPsec SAs. For IKEv2, the absence of the IKE SA does not always indicate that the IKE

SA negotiation failed. For more information, see “Determining if the IKEv2 SA Negotiation

Succeeded” (page 154).

If HP-UX IPSec is not creating SAs, use ping, linkloop (if the remote system is connected

to the same LAN), and other networking utilities to verify basic connectivity to the remote

system. If you have firewalls or other packet filter utilities, verify that these utilities allow

IPsec packets to pass. The utilities must allow the following types of traffic to pass:

— UDP port 500 (IKE negotiations)

— IP protocol number 50 (ESP protocol)

— IP protocol number 51 (AH protocol)

• Use the ipsec_report -cache command to determine what action HP-UX IPSec is

selecting for a packet five-tuple. The ipsec_report -cache command will show an entry

for a packet five-tuple even if the HP-UX IPSec action is to pass or discard the packet.

Troubleshooting Tips 149