HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

131

132

133

134

135

136

137

138

139

140

These symptoms are also present if the first IPsec SA negotiation fails for a given IKEv2 SA. See

“Determining if the IKEv2 SA Negotiation Succeeded” (page 131) for information on determining

if the IKEv2 SA was established.

Solution

• Use the ipsec_report -audit command to view the audit file entries. If the IKEv2 SA

negotiation fails, the message retransmission count exceeded the limit can

indicate either:

◦ A connectivity problem with the remote system.

◦ A mismatch in IKE configuration. HP-UX and other IKE responders will not respond if the

initiator sends an unacceptable SA proposal. In this case, the initiator audit file shows

the retransmission count exceeded the limit error message.

Check that the responder is receiving the IKE messages from the initiator. If the audit level is

set to informative on the responder, the audit file will contain a message similar to the following

if it is receiving the initial IKE negotiation message:

Msg: 145 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 22:39:59 2009

Event: found ikev2 policy: default

The log file on the responder may also show an error message that indicates a mismatch in

the IKEv2 SA proposals, such as the following:

Msg: 123 From: IKMPD Lvl: ERROR Date: Mon Feb 23 21:36:54 2009

Event: local 10.2.2.2/500 - remote 10.1.1.1/500:no proposal chosen

• Use the ipsec_policy utility to determine the IKE policy being used, as described in “Using

ipsec_policy ” (page 124). Verify that values for following IKE parameters match the values

on the remote system:

◦ Diffie-Hellman group

◦ Local and remote authentication method

◦ hash algorithm

◦ encryption algorithm

◦ pseudo-random function

◦ The preshared key value, if you are using preshared key authentication. On HP-UX systems,

this is configured using the ipsec_config add auth command. HP-UX stores all

values prefixed with 0x as hexadecimal values and stores all other values as ASCII values.

The ipsec_config command does not allow spaces, and any double quote marks in

the command are added to the key value.

If you are using RSA signatures, see “IKE Primary Authentication Fails with Certificates”

(page 135).

• Enable a nettl level 4 trace using the command ipsec_admin -traceon or use a line

analyzer trace or tcpdump to verify that the packets are being sent and received by the

correct remote system. Check whether the remote IKE entity is responding. IKE always uses

UDP port 500 to receive and send IKE packets.

IPsec SA Negotiation Fails

Problem

The IKEv1 or IKEv2 SA was established, but the IPsec SA negotiation failed.

Troubleshooting Scenarios 133