HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

211

212

213

214

215

216

217

218

219

220

Troubleshooting Manual Key Problems

Troubleshooting manual key problems can be difficult because there are no IKE negotiations

and no IKE audit messages.

Symptoms

Link errors (unable to connect ) and timeouts. The output from the ipsec_report -sa

ipsec command shows the SAs, but attempts to exchange data with the remote system fail.

The audit file may show errors when HP-UX IPSec starts or when a manual key is added such

as PF_KEY: SADB_ADD for SPI 0xnnnn returns EEXIST and PF_KEY: Invalid

SADB_ADD, SPI 0xnnnn , errno 22 .

If the HP-UX IPSec audit level is set to warning or higher, the audit file may show entries such

as No SPI for received packet.

STREAMS log records may show entries from HP-UX IPSec STREAMS modules (ipsec_aaaa

), such as Bad cipher SA init or Padding checks failed .

Solutions

Check the manual key configuration. Check that the local inbound SA descriptor (SPI, transform

type, authentication key, encryption key, and initialization vector) matches the remote outbound

SA descriptor (on the remote system). Check that the local outbound SA descriptor matches the

remote inbound SA descriptor (on the remote system).

SADB_ADD for SPI 0xnnnn returns EEXIST

If the audit file contains an error message similar to the one below, you are attempting to add a

manual key with an SPI that is already allocated:

Msg: 178 From: SECPOLICYD Lvl: ERROR Date: Thu Jun 24 09:45:17 2004

Event: PF_KEY: SADB_ADD for SPI 0x201 returns EEXIST

In the above example, the user tried to add a manual key with inbound SPI 513 (0x201). The

secure policy daemon had already allocated inbound SPI 513 for a dynamic key SA, and when

the daemon received the request to add the manual key SA with the same SPI, it logged the above

error and did not add the manual key SA.

Change the manual key SPI. Verify that the SPIs are unique and are not within the range for

dynamic key SPI numbers. The default range for dynamic key SPI numbers is 300 - 2500000.

Refer to the ipsec_config(1M) manpage for more information on changing the dynamic key SPI

range.

Invalid SADB_ADD

If the audit file contains the error message similar to the one below, HP-UX IPSec may be rejecting

an encryption key because it is too weak (not sufficiently random):

PF_KEY: Invalid SADB_ADD, SPI 0xnnnn , errno 22

Verify that the SPI number in the audit message matches a manual key SPI. Examine the STREAMS

log messages to verify that the error is caused by a weak encryption key, as described in

“Examining STREAMS Logging Records” (page 220). See Appendix F, “Selecting Encryption

Keys” (page 216) for information on generating strong encryption keys.

STREAMS Logging Messages and Additional Audit File Entries

In most cases, little information is logged when manual keys fail because there is no IKE or IPsec

SA negotiation. The ipsec_report -sa ipsec and ipsec_report -host active output

show the SAs when the SA information is added to the runtime database, even if the SAs are not

acceptable to the remote system. To view additional data that may include information about

manual key SAs, use the following procedures to examine the STREAMS logging records and

additional audit file entries.

Troubleshooting Manual Key Problems 219