HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

Symptoms

The output from the ipsec_report -sa ike command does not show the IKEv1 SA. The

audit log contains the error phase1 negotiation failed due to time up.

Solution

• Use the ipsec_report -audit command to view the audit file entries. The audit message

phase1 negotiation failed due to time up can indicate either:

— A connectivity problem with the remote system.

— A mismatch in IKE configuration. HP-UX and other IKE responders will not respond

if the initiator sends an unacceptable SA proposal. In this case, the initiator audit file

shows the time up error message.

Check that the responder is receiving the IKE messages from the initiator. If the audit level

is set to informative on the responder, the audit file will contain a message similar to the

following if it is receiving the initial IKE negotiation message:

Msg: 125 From: IKMPD Lvl: INFORMATIVE Date: Mon Mar 2 22:33:27 2009

Event: respond new phase 1 negotiation: 10.1.1.1/500<=>105.2.2.2/500

The log file on the responder may also show an error message that indicates a mismatch in

the IKEv1 SA proposals, such as the following:

Msg: 1131 From: IKMPD Lvl: ERROR Date: Mon Mar 2 22:52:02 2009 Event: rejected hashtype:

DB(prop#1:trns#1):Peer(prop#1:trns#1) = MD5:SHA1

• Use the ipsec_policy utility to determine the IKE policy being used, as described in

“Using ipsec_policy ” (page 146). Verify that values for following IKE parameters match

the values on the remote system:

— Diffie-Hellman group

— Local and remote authentication method

— authentication algorithm

— encryption algorithm

— The preshared key value, if you are using preshared key authentication. On HP-UX

systems, this is configured using the ipsec_config add auth command. HP-UX

stores all values prefixed with 0x as hexadecimal values and stores all other values as

ASCII values. The ipsec_config command does not allow spaces, and any double

quote marks in the command are added to the key value.

If you are using RSA signatures, see “IKE Primary Authentication Fails with Certificates”

(page 158).

• Enable a nettl level 4 trace using the command ipsec_admin -traceon or use a line

analyzer trace or tcpdump to verify that the packets are being sent and received by the

correct remote system. Check if the remote IKE entity is responding. IKE always uses UDP

port 500 to receive and send IKE packets.

Troubleshooting Scenarios 155