HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets

Problem

IPsec is attempting to encrypt or authenticate (apply a transform) packets that should not be

encrypted or authenticated.

Symptoms

Link errors (unable to connect or connection timeouts) on traffic that should not be

encrypted/authenticated.

Solution

Run the following commands:

ping, linkloop (check connectivity)

ipsec_policy or ipsec_report -cache and ipsec_report -host (determine the policy

being used)

Check the configuration file.

If HP-UX IPSec is misconfigured to encrypt and/or authenticate packets that it should not and

the peer system is not configured to use HP-UX IPSec encryption/authentication, you will

consistently get connection errors (unable to connect or connection timed out).

Check connectivity to the remote system using /etc/ping and the linkloop utilities.

Verify which IPsec policy is being used with the ipsec_policy command and check the

configuration file.

HP-UX IPSec Attempts to Encrypt/Authenticate and Fails

Problem

IPsec attempts to encrypt/authenticate packets and fails.

Symptoms

If HP-UX IPSec is configured to encrypt/authenticate but failing, it will appear as a connection

error (unable to connect or connection timed out ) to the user. Output from the

ipsec_report -sa ipsec command shows no IPsec SAs.

Solution

Determine the IKE version number, if needed. Determine when IPsec is failing; determine if the

IKE SA negotiations failed or if the IKE SA negotiations succeeded and the subsequent IPsec SA

negotiations failing. Determine why the IKE SA or IPsec SA negotiations are failing.

Determining the IKE Version Number

If you are not certain which IKE version number is being used, there are two methods to determine

the IKE version:

• Use the ipsec_policy command to determine the authentication policy selected, then

use the ipsec_config show auth name command to display the value of the kmp

parameter.

• Set the audit level to informative (use the command ipsec_admin -auditlvl

INFORMATIVE) or higher and retry the negotiation. Search the audit file for the text found

ike. The IKE daemon creates an informative log record when it selects the IKE policy for a

negotiation. This message has the following format:

found ikevn: policy_name

Troubleshooting Scenarios 153