HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Where n is the IKE version and policy_name is the IKEv1 or IKEv2 policy used. For

example:

Msg: 1258 From: IKMPD Lvl: INFORMATIVE Date: Mon Mar 2 22:52:09 2009

Event: found ikev1 policy: default

Determining if the IKEv1 SA Negotiation Succeeded

If you are using IKEv1, the output from ipsec_report -sa ike output shows the IKEv1 SA

if the IKE SA negotiation succeeded. If the output does not show the IKEv1 SA, the negotiation

failed and the audit log also contains the error phase1 negotiation failed due to time

up.

If the IKEv1 SA negotiation failed, see “IKEv1 SA Negotiation Fails or Times Out (phase1

negotiation failed)” (page 154).

If the IPsec SA negotiation failed, see “IPsec SA Negotiation Fails” (page 157).

Determining if the IKEv2 SA Negotiation Succeeded

If you are using IKEv2, the IKE daemon deletes the IKE SA if negotiations for the first pair of

IPsec (child) SAs fails. If this occurs, output from the ipsec_report -sa ike does not show

an IKEv2 SA even though the IKEv2 SA negotiation succeeded. To determine if the IKE SA was

successfully established, check the audit files as follows:

• On the responder, set the audit level to informative or debug and check for an informative

message with the text found host selector. For example:

Msg: 372 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 11:53:27 2009

Event: found host selector: myHostPol

This message indicates that the IKEv2 negotiation succeeded, and the responder then searched

for and found a host policy that matched the traffic selectors in the IPsec SA negotiation.

If the audit level is set to debug, the audit file on the responder will also contain debug

messages showing that the IKE daemon received traffic selectors (TS) for the IPsec SA

negotiation.

Note that the presence of the found host selector message in the initiator audit file

does not always indicate that the IKE SA negotiation succeeded. On the initiator, the IKE

daemon logs this message at the beginning of the IKE SA negotiation.

• On the initiator, set the audit level to debug and check for a debug message similar to the

following:

Msg: 221 From: IKMPD Lvl: DEBUG Date: Fri Feb 20 23:00:04 2009

Event: local 10.1.1.1/500 - remote 10.2.2.2/500:ike_sa 40079580 sta

te INI_IKE_SA_INIT_SENT -> DYING

The state transition INI_IKE_SA_INIT_SENT -> DYING indicates that the IKE daemon

terminated the IKEv2 SA negotiation after it sent the first message in the negotiation; this

indicates that the IKEv2 SA negotiation failed.

If the state transition is INI_IKE_AUTH_SENT -> DYING indicates that the IKE daemon

killed the IKEv2 SA negotiation after it sent the third message in the negotiation; this indicates

that either the IKEv2 SA authentication failed or the first IPsec SA negotiation failed.

If the IKEv2 SA negotiation failed, see “IKEv2 SA Negotiation Fails or Times Out

(retransmission count exceeded the limit)” (page 156).

If the IPsec SA negotiation failed, see “IPsec SA Negotiation Fails” (page 157).

IKEv1 SA Negotiation Fails or Times Out (phase1 negotiation failed)

Problem

IKEv1 IKE SA negotiation fails or times out.

154 Troubleshooting HP-UX IPSec