HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

211

212

213

214

215

216

217

218

219

220

Examining STREAMS Logging Records

You can use the strace utility to view STREAMS log records, or use the following procedure

to examine the nettl log file for entries logged by the HP-UX IPSec STREAMS modules.

1. Execute the following command to determine the current nettl log file (the default is

/var/adm/nettl.LOG000) and the current log classes for the STREAMS subsystem:

nettl -ss

The default STREAMS log classes are error and disaster. If the STREAMS log classes do not

include the error and disaster classes, use the nettl command to set them. You can do this

by executing a command similar to the following command:

nettl -log e d -e streams

2. Format the current nettl log file. You can do this by executing a command similar to the

following command:

netfmt /var/adm/nettl.LOG000 > my_log_output

3. If the STREAMS log classes did not previously include the error and disaster classes, re-create

the manual key problem.

4. Examine the output and search for records logged by HP-UX IPSec streams modules. Search

for the string ipsec .

You may see entries similar to the following, which indicate mis-matched cryptographic

keys in an inbound packet:

24 01:36:26 78194680 1 T.. 0 0 ipsec_ip_rput_local_esp: Can't pullup pad/protocol (1 76 185)

25 01:36:30 78194986 1 T.. 0 0 ipsec_ip_rput_local_esp: Padding checks failed

Examining Additional Audit Entries

Set the HP-UX IPSec audit level to WARNING or higher to see additional entries for manual key

problems. Use the following procedure to search for manual key audit records.

1. Set the HP-UX audit level to warning by executing the following command:

ipsec_admin -auditlvl warning

2. Re-create the manual key problem.

3. Display the contents of the audit file by executing the following command:

ipsec_report -audit audit_file

4. Examine the output and search for records with the address of the remote system. You may

see entries similar to the following:

Msg: 67 From: SECPOLICYD Lvl: WARNING Date: Thu Jun 10 13:43:07 2004

Event: No SPI for received packet - SPI: hhhh

IP addr: 10.1.1.1-10.2.2.2 proto: 50

The above entry indicates mis-matched SPI numbers. Verify the SPI numbers configured

on the remote system. The inbound SPI on the local system must match the outbound SPI

on the remote system, and the outbound SPI on the local system must match the inbound

SPI on the remote system.

220 Using Manual Keys