Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
141142143144145146147148149150
In some cases, the IKE daemon does not send a response if there is a mismatch in IKE
parameters. IKE uses this strategy to avoid responding to attackers. If you have misconfigured
IKE parameters, the IKE responder may not send a response. In this case, the IKE initiator's
log file will show multiple retransmissions and an error message. For IKEv1 negotiations,
the error message includes the text phase1 negotiation failed due to time up.
For IKEv2 negotiations, the error message includes the text retransmission count
exceeded the limit.
An IKE SA must exist before IKE can negotiate IPsec SAs. An IKE SA negotiation is initiated
when an IPsec SA pair is needed and there is no active IKE SA established with the remote
system.
When IKEv2 is used, the IKE SA is deleted if negotiations for the first IPsec SA pair fails.
The absence of an IKEv2 SA (the ipsec_report -sa ike command does not show an
IKEv2 SA) does not always indicate that the IKE SA negotiation failed. See “Determining if
the IKEv2 SA Negotiation Succeeded” (page 154) for more information.
When IKEv1 is used, the IKE SA is not deleted if the first IPsec SA negotiation fails. The
absence of an IKEv1 SA always indicates that the IKE SA negotiation failed.
150 Troubleshooting HP-UX IPSec