HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

Configuring Startup Audit Parameters

To set the audit parameters used every time HP-UX IPSec starts, modify the startup record in the

configuration database by entering a command similar to the following:

ipsec_config add startup [-autoboot ON|OFF]

[-auditlvl audit_level] [-auditdir audit_directory]

[-maxsize max_size] ...

audit _level can be alert, error, warning , informative , or debug. A selected

audit level includes all the lower audit levels.

audit_directory is the fully-qualified path name for the audit directory.

max_size is the maximum size for each audit file, in kilobytes. The default is 100 kilobytes.

When you modify startup parameters in the configuration database, the changes do not take effect

until the next time HP-UX IPSec starts.

The startup configuration object includes other operating parameters. Any parameters you do not

specify are reset to the default values, including the autoboot flag, which determines if HP-UX IPSec

starts automatically at system startup time. To configure HP-UX IPSec to start automatically at system

startup time, include the option -autoboot ON in the ipsec_config add startup command.

Viewing Audit Files

You must use the ipsec_report utility to view audit files. First, determine the current audit file:

ipsec_admin -status

Then use the -audit option of ipsec_report to display the file:

ipsec_report -audit audit_file

Filtering Audit File Output by Entity

You can filter the audit file output so ipsec_report shows only entries recorded by specified

entities.

ipsec_report -audit audit_file -entity entity_name

[entity_name ...]

where entity_name is one of the following names:

ikmpd

ipsec_admin

ipsec_config

ipsec_policy

ipsec_report

secauditd

secpolicyd

TIP: When troubleshooting problems with establishing SAs, set the audit level to informative.

If you know which policy HP-UX IPSec is using, you can specify -entity ikmpd when displaying

the audit file contents to view only the IKE audit entries.

Troubleshooting Tips

This section contains troubleshooting tips.

• Use the ipsec_report -sa command to determine if HP-UX IPSec is creating the IKE and

IPsec SAs. For IKEv2, the absence of the IKE SA does not always indicate that the IKE SA

negotiation failed. For more information, see “Determining if the IKEv2 SA Negotiation

Succeeded” (page 131).

If HP-UX IPSec is not creating SAs, use ping, linkloop (if the remote system is connected

to the same LAN), and other networking utilities to verify basic connectivity to the remote

126 Troubleshooting HP-UX IPSec