HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

ping, linkloop (check connectivity)

ipsec_policy or ipsec_report -cache and ipsec_report -host (determine the policy

being used)

Check the configuration file.

If HP-UX IPSec is misconfigured to encrypt and/or authenticate packets that it should not and the

peer system is not configured to use HP-UX IPSec encryption/authentication, you will consistently

get connection errors (unable to connect or connection timed out).

Check connectivity to the remote system using /etc/ping and the linkloop utilities.

Verify which IPsec policy is being used with the ipsec_policy command and check the

configuration file.

HP-UX IPSec Attempts to Encrypt/Authenticate and Fails

Problem

IPsec attempts to encrypt/authenticate packets and fails.

Symptoms

If HP-UX IPSec is configured to encrypt/authenticate but failing, it will appear as a connection

error (unable to connect or connection timed out ) to the user. Output from the

ipsec_report -sa ipsec command shows no IPsec SAs.

Solution

Determine the IKE version number, if needed. Determine when IPsec is failing; determine if the IKE

SA negotiations failed or if the IKE SA negotiations succeeded and the subsequent IPsec SA

negotiations failing. Determine why the IKE SA or IPsec SA negotiations are failing.

Determining the IKE Version Number

If you are not certain which IKE version number is being used, there are two methods to determine

the IKE version:

• Use the ipsec_policy command to determine the authentication policy selected, then use

the ipsec_config show auth name command to display the value of the kmp parameter.

• Set the audit level to informative (use the command ipsec_admin -auditlvl

INFORMATIVE) or higher and retry the negotiation. Search the audit file for the text found

ike. The IKE daemon creates an informative log record when it selects the IKE policy for a

negotiation. This message has the following format:

found ikevn: policy_name

Where n is the IKE version and policy_name is the IKEv1 or IKEv2 policy used. For example:

Msg: 1258 From: IKMPD Lvl: INFORMATIVE Date: Mon Mar 2 22:52:09 2009

Event: found ikev1 policy: default

Determining if the IKEv1 SA Negotiation Succeeded

If you are using IKEv1, the output from ipsec_report -sa ike output shows the IKEv1 SA if

the IKE SA negotiation succeeded. If the output does not show the IKEv1 SA, the negotiation failed

and the audit log also contains the error phase1 negotiation failed due to time up.

If the IKEv1 SA negotiation failed, see “IKEv1 SA Negotiation Fails or Times Out (phase1

negotiation failed)” (page 131).

If the IPsec SA negotiation failed, see “IPsec SA Negotiation Fails” (page 133).

130 Troubleshooting HP-UX IPSec