HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Determining if the IKEv2 SA Negotiation Succeeded
If you are using IKEv2, the IKE daemon deletes the IKE SA if negotiations for the first pair of IPsec
(child) SAs fails. If this occurs, output from the ipsec_report -sa ike does not show an IKEv2
SA even though the IKEv2 SA negotiation succeeded. To determine if the IKE SA was successfully
established, check the audit files as follows:
• On the responder, set the audit level to informative or debug and check for an informative
message with the text found host selector. For example:
Msg: 372 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 11:53:27 2009
Event: found host selector: myHostPol
This message indicates that the IKEv2 negotiation succeeded, and the responder then searched
for and found a host policy that matched the traffic selectors in the IPsec SA negotiation.
If the audit level is set to debug, the audit file on the responder will also contain debug
messages showing that the IKE daemon received traffic selectors (TS) for the IPsec SA
negotiation.
Note that the presence of the found host selector message in the initiator audit file
does not always indicate that the IKE SA negotiation succeeded. On the initiator, the IKE
daemon logs this message at the beginning of the IKE SA negotiation.
• On the initiator, set the audit level to debug and check for a debug message similar to the
following:
Msg: 221 From: IKMPD Lvl: DEBUG Date: Fri Feb 20 23:00:04 2009
Event: local 10.1.1.1/500 - remote 10.2.2.2/500:ike_sa 40079580 sta
te INI_IKE_SA_INIT_SENT -> DYING
The state transition INI_IKE_SA_INIT_SENT -> DYING indicates that the IKE daemon
terminated the IKEv2 SA negotiation after it sent the first message in the negotiation; this
indicates that the IKEv2 SA negotiation failed.
If the state transition is INI_IKE_AUTH_SENT -> DYING indicates that the IKE daemon
killed the IKEv2 SA negotiation after it sent the third message in the negotiation; this indicates
that either the IKEv2 SA authentication failed or the first IPsec SA negotiation failed.
If the IKEv2 SA negotiation failed, see “IKEv2 SA Negotiation Fails or Times Out (retransmission
count exceeded the limit)” (page 132).
If the IPsec SA negotiation failed, see “IPsec SA Negotiation Fails” (page 133).
IKEv1 SA Negotiation Fails or Times Out (phase1 negotiation failed)
Problem
IKEv1 IKE SA negotiation fails or times out.
Symptoms
The output from the ipsec_report -sa ike command does not show the IKEv1 SA. The audit
log contains the error phase1 negotiation failed due to time up.
Solution
• Use the ipsec_report -audit command to view the audit file entries. The audit message
phase1 negotiation failed due to time up can indicate either:
◦ A connectivity problem with the remote system.
◦ A mismatch in IKE configuration. HP-UX and other IKE responders will not respond if the
initiator sends an unacceptable SA proposal. In this case, the initiator audit file shows
the time up error message.
Troubleshooting Scenarios 131