HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

stores all values prefixed with 0x as hexadecimal values and stores all other values as

ASCII values. The ipsec_config command does not allow spaces, and any double

quote marks in the command are added to the key value.

If you are using RSA signatures, see “IKE Primary Authentication Fails with Certificates”

(page 158).

• Enable a nettl level 4 trace using the command ipsec_admin -traceon or use a line

analyzer trace or tcpdump to verify that the packets are being sent and received by the

correct remote system. Check whether the remote IKE entity is responding. IKE always uses

UDP port 500 to receive and send IKE packets.

IPsec SA Negotiation Fails

Problem

The IKEv1 or IKEv2 SA was established, but the IPsec SA negotiation failed.

Symptoms

If you are using IKEv1, output from the ipsec_report -sa command shows an IKEv1 SA

but does not show IPsec SAs.

If you are using IKEv2, output from the ipsec_report -sa command might not show an

IKEv2 SA. See “Determining if the IKEv2 SA Negotiation Succeeded” (page 154) for information

on determining if the IKEv2 SA was established.

Solution

Determine the host or tunnel policy used on each system for the traffic. Use one of the following

methods:

• Use the ipsec_policy utility to query the policy daemon.

• Use audit file entries. Set the debug level to INFORMATIVE or higher. Search the audit files

for entries with the text found host selector. For example:

Msg: 450 From: IKMPD Lvl: INFORMATIVE Date: Tue Mar 17 12:42:54 2009

Event: found host selector: telnetIn

If there is no matching host policy on the responder, the IKE daemon logs an error in the

audit file and uses the default host policy. For IKEv1, the message is similar to the following:

Msg: 443 From: IKMPD Lvl: ERROR Date: Tue Mar 17 13:33:06 2009

Event: can't find matching selector

For IKEv2, the IKE daemon logs an error message similar to the following if it receives an

IPsec negotiation for which it has no matching host policy:

Msg: 357 From: IKMPD Lvl: ERROR Date: Wed Mar 4 18:54:01 2009

Event: local ? - remote ?:ts unacceptable

• Use the ipsec_report -cache command to determine the action selected for a given

packet. If the packet did not match any configured policies and you are using the default

host policy shipped with the product, the cache entry for the packet will show the action

PASS.

Check the following items in the host policies:

• source and destination descriptors

• priority

• transform list and lifetimes

Check the audit files for additional information. The audit file entries differ according to the IKE

version used.

Troubleshooting Scenarios 157