HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

151

152

153

154

155

156

157

158

159

160

If you see the message Only preshared key can be used for authentication, then

the IKE daemon was unable to validate the local certificate.

You can also try using preshared keys for primary authentication. You will need to configure

the same preshared key on both systems.

Check that you have a certificate for the local system and for the root CA. If you are using chained

CAs, you must have a certificate for each CA in the authentication chain between the local system

and the remote system. Check that you have a CRL for each CA.

HP-UX IPSec stores certificate data in the /var/adm/ipsec/certstore directory. For a

description of the files, see “Certificate Storage” (page 129).

Check that the required files are present. If the mykey.pem file has been deleted and you cannot

restore it from backup media, you must create a new Certificate Signing Request and get a new

certificate.

You can use OpenSSL utilities to display more information about the certificate and CRL files.

For example, you can use the following command to display the information about the root CA

certificate:

openssl x509 -in rootcert.pem -text

HP-UX Will Not Start (ipsec_admin -start Fails)

Problem

HP-UX IPSec will not start.

Symptoms

The ipsec_admin -start command fails. The ipsec_admin utility returns one of the

following messages:

IPSEC_ADMIN: Failed to read IPsec admin file, error: %nn. Did you set

the password with -np?

IPSEC_ADMIN: Failed to open IPsec admin file, error: %nn. Did you set

the password with -np?

IPSEC_ADMIN: ERROR-read_admin_info(): Failed to verify ipsec password.

IPSEC_ADMIN: ERROR-reads a DB config which is invalid

IPSEC_ADMIN: ERROR-Configuration database open failed: reason

Solution

If ipsec_admin returns the message Failed to read IPsec admin file, error:

%nn. Did you set the password with -np? or the message Failed to open IPsec

admin file, error: %nn. Did you set the password with -np? and you have

not yet set the HP-UX IPSec password, set the password using the command ipsec_admin

-newpasswd or ipsec_admin -np.

If ipsec_admin returns the message read_admin_info(): Failed to verify ipsec

password, verify that the file /var/adm/ipsec/cainfo.txt exists.

If ipsec_admin returns the message reads a DB config which is invalid or

Configuration database open failed, see the following section, Corrupt or Missing

HP-UX IPSec Configuration Database, for more information.

Troubleshooting Scenarios 159