HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

131

132

133

134

135

136

137

138

139

140

Check that the responder is receiving the IKE messages from the initiator. If the audit level is

set to informative on the responder, the audit file will contain a message similar to the following

if it is receiving the initial IKE negotiation message:

Msg: 125 From: IKMPD Lvl: INFORMATIVE Date: Mon Mar 2 22:33:27 2009

Event: respond new phase 1 negotiation: 10.1.1.1/500<=>105.2.2.2/500

The log file on the responder may also show an error message that indicates a mismatch in

the IKEv1 SA proposals, such as the following:

Msg: 1131 From: IKMPD Lvl: ERROR Date: Mon Mar 2 22:52:02 2009 Event: rejected hashtype:

DB(prop#1:trns#1):Peer(prop#1:trns#1) = MD5:SHA1

• Use the ipsec_policy utility to determine the IKE policy being used, as described in “Using

ipsec_policy ” (page 124). Verify that values for following IKE parameters match the values

on the remote system:

◦ Diffie-Hellman group

◦ Local and remote authentication method

◦ authentication algorithm

◦ encryption algorithm

◦ The preshared key value, if you are using preshared key authentication. On HP-UX systems,

this is configured using the ipsec_config add auth command. HP-UX stores all

values prefixed with 0x as hexadecimal values and stores all other values as ASCII values.

The ipsec_config command does not allow spaces, and any double quote marks in

the command are added to the key value.

If you are using RSA signatures, see “IKE Primary Authentication Fails with Certificates”

(page 135).

• Enable a nettl level 4 trace using the command ipsec_admin -traceon or use a line

analyzer trace or tcpdump to verify that the packets are being sent and received by the

correct remote system. Check if the remote IKE entity is responding. IKE always uses UDP port

500 to receive and send IKE packets.

NOTE: The audit file on the initiator may also show an message with the text Event:

phase2 negotiation failed due to time up waiting for phase1. This message

does not always indicate that the phase 1 negotiation was successful and that the IKE daemon

started a phase 2 negotiation (IPsec SA negotiation). The IKE daemon starts a timer for the

completion of the phase 2 negotiation before it starts the phase 2 negotiation, independent

of the status of the phase 1 negotiation.

IKEv2 SA Negotiation Fails or Times Out (retransmission count exceeded

the limit)

Problem

IKEv2 IKE negotiation fails or times out.

Symptoms

The output from the ipsec_report -sa ike command does not show the IKEv2 SA. The audit

file on the initiator shows an error message similar to the following:

Msg: 240 From: IKMPD Lvl: ERROR Date: Tue Mar 3 21:40:14 2009

Event: local ? - remote ?:retransmission count exceeded the limit

132 Troubleshooting HP-UX IPSec