HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

Troubleshooting Procedures

This section describes the following troubleshooting procedures:

• “Checking Status” (page 122)

• “Isolating HP-UX IPSec Problems from Upper-layer Problems” (page 123)

• “Checking Policy Configuration” (page 124)

• “Isolating HP-UX IPSec Problems from Upper-layer Problems” (page 123)

• “Checking Policy Configuration” (page 124)

• “Configuring HP-UX IPSec Auditing” (page 124)

Checking Status

HP-UX IPSec has five main modules:

• IKE (ISAKMP/Oakley) daemon (ikmpd )

• Policy daemon (secpolicyd )

• Audit daemon (secauditd )

• Kernel Policy engine

• Kernel Security Association engine

The following command verifies the status of these modules:

ipsec_admin -status

This command sends status check messages to the IPsec daemons and checks kernel parameters

to see if the kernel IPsec components are enabled.

You can also use the following command to get status information:

ipsec_report -all [-file filename ]

This command will show some HP-UX IPSec activity even if there is no peer system running HP-UX

IPSec. The -file option saves the output to the specified filename. This command performs the

following tasks:

• Queries the kernel Security Association (SA) engine for active IPsec SAs on this system. If there

is no peer IPsec system and/or no active IPsec SAs, the kernel SA engine will respond that

there are no IPsec SAs to report. You can also do this by entering the command:

ipsec_report -sa ipsec

• Queries the IKE daemon for IKE SAs. If there is no peer IPsec system or no IPsec traffic, the

IKE daemon will respond that there are no IKE SAs to report. You can also do this by entering

the following command:

ipsec_report -sa ike

• Queries the IKE daemon and reports the IKE policies. You can also do this by entering the

following command:

ipsec_report -ike

• Queries the policy daemon and reports the configured host IPsec policies. You can also do

this by entering the following command:

ipsec_report -host configured

• Queries the policy daemon and reports the active host IPsec policies. To create the list of active

host IPsec policies, the policy daemon expands configured host IPsec policies with wildcard

and subnet specifications for the active IP interfaces (configured UP or DOWN , plumbed) on

the local system. The policy daemon also creates active host IPsec policies as needed for

122 Troubleshooting HP-UX IPSec