HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

system. If you have firewalls or other packet filter utilities, verify that these utilities allow IPsec

packets to pass. The utilities must allow the following types of traffic to pass:

◦ UDP port 500 (IKE negotiations)

◦ IP protocol number 50 (ESP protocol)

◦ IP protocol number 51 (AH protocol)

• Use the ipsec_report -cache command to determine what action HP-UX IPSec is selecting

for a packet five-tuple. The ipsec_report -cache command will show an entry for a

packet five-tuple even if the HP-UX IPSec action is to pass or discard the packet.

• In some cases, the IKE daemon does not send a response if there is a mismatch in IKE

parameters. IKE uses this strategy to avoid responding to attackers. If you have misconfigured

IKE parameters, the IKE responder may not send a response. In this case, the IKE initiator's

log file will show multiple retransmissions and an error message. For IKEv1 negotiations, the

error message includes the text phase1 negotiation failed due to time up. For

IKEv2 negotiations, the error message includes the text retransmission count exceeded

the limit.

• An IKE SA must exist before IKE can negotiate IPsec SAs. An IKE SA negotiation is initiated

when an IPsec SA pair is needed and there is no active IKE SA established with the remote

system.

When IKEv2 is used, the IKE SA is deleted if negotiations for the first IPsec SA pair fails. The

absence of an IKEv2 SA (the ipsec_report -sa ike command does not show an IKEv2

SA) does not always indicate that the IKE SA negotiation failed. See “Determining if the IKEv2

SA Negotiation Succeeded” (page 131) for more information.

When IKEv1 is used, the IKE SA is not deleted if the first IPsec SA negotiation fails. The absence

of an IKEv1 SA always indicates that the IKE SA negotiation failed.

Reporting Problems

Be sure to include the following information when reporting problems:

• A complete description of the problem and any error messages. Include information about:

the local system (IP addresses)◦

◦ IP addresses of relevant remote systems

◦ routing table information (netstat -rn output) if appropriate

Also include a description of what works and what does not work.

• Output from the ipsec_admin -status command.

• Output from the ipsec_report -all command.

• Output from the ipsec_report -audit audit_file -file output_file command

for additional audit files. The ipsec_report -all output includes the contents of the current

audit file, but you may need to collect multiple audit files to get all the records for a problem.

HP-UX IPSec opens a new audit file when the current file will exceed the maximum audit file

size. The default maximum audit file size is 100 Kbytes. You can change the maximum audit

file size using the ipsec_admin -m[axsize] max_audit_file_size command.

If you can reproduce the problem, set the audit level to informative or debug , and set

the maximum audit file size to a large value, such as 99,999 kilobytes. For example, you can

enter the following commands before reproducing the problem:

ipsec_admin -maxsize 99999

ipsec_admin -auditlvl informative

Reporting Problems 127