HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

IKEv1 IPsec SA Error

The following audit file entries indicate that the responder rejected the IPSec SA negotiation

because the initiator proposed an ESP transform with the AES encryption method, but the

responder is configured to use 3DES:

Msg: 622 From: IKMPD Lvl: WARNING Date: Tue Mar 17 12:42:55 2009

Event: trns_id mismatched: my:3DES peer:AES

Msg: 623 From: IKMPD Lvl: ERROR Date: Tue Mar 17 12:42:55 2009

Event: not matched

Msg: 624 From: IKMPD Lvl: ERROR Date: Tue Mar 17 12:42:55 2009

Event: no suitable policy found.

IKEv2 IPsec SA Error

The following responder audit file entry indicates that the none of the IPsec SA proposals matched:

Msg: 412 From: IKMPD Lvl: ERROR Date: Tue Mar 17 13:08:36 2009

Event: local ? - remote ?:no proposal chosen

The audit file on the initiator shows the following entries:

Msg: 647 From: IKMPD Lvl: INFORMATIVE Date: Tue Mar 17 13:09:42 2009

Event: received notify type NO_PROPOSAL_CHOSEN

Msg: 648 From: IKMPD Lvl: ERROR Date: Tue Mar 17 13:09:42 2009

Event: local 10.1.1.1/500 - remote 10.2.2.2/500:message lacks IDr

payload

IKE Primary Authentication Fails with Certificates

Problem

Certificate-based (RSA signature) primary authentication fails.

Symptoms

For IKEv1, output from the ipsec -sa ike command does not show the IKEv1 SA.

For IKEv2, output from the ipsec -sa ike command does not show the IKEv2 SA. However,

this does not always indicate that the IKEv2 SA negotiation failed. See “Determining if the IKEv2

SA Negotiation Succeeded” (page 154) for information on determining if the IKEv2 SA was

established.

Solution

Check the audit file for an expired certificate, revoked certificate, or certificate encoding problems.

Try preshared key authentication.

Enter the ipsec_config show mycert command and check the certificate for the local system.

Enter the ipsec_config show cacert command and check that there is a valid certificate

for each CA and a valid CRL issued by each CA. The certificates and CRLs are stored in the

/var/adm/ipsec/certstore directory.

Check that the /var/adm/ipsec/cainfo.txt file is present.

Details

Check the audit log for messages indicating that the certificate for the local or remote system is

expired, revoked, or has X.509 encoding errors.

If the audit level is set to informative or higher, you will see the following message when HP-UX

IPSec starts and the local certificate is valid:

Msg: 4 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 22:40:32 2009

Event: Either certificate or preshared key can be used for authentication.

158 Troubleshooting HP-UX IPSec