HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

131

132

133

134

135

136

137

138

139

140

Symptoms

If you are using IKEv1, output from the ipsec_report -sa command shows an IKEv1 SA but

does not show IPsec SAs.

If you are using IKEv2, output from the ipsec_report -sa command might not show an IKEv2

SA. See “Determining if the IKEv2 SA Negotiation Succeeded” (page 131) for information on

determining if the IKEv2 SA was established.

Solution

Determine the host or tunnel policy used on each system for the traffic. Use one of the following

methods:

• Use the ipsec_policy utility to query the policy daemon.

• Use audit file entries. Set the debug level to INFORMATIVE or higher. Search the audit files

for entries with the text found host selector. For example:

Msg: 450 From: IKMPD Lvl: INFORMATIVE Date: Tue Mar 17 12:42:54 2009

Event: found host selector: telnetIn

If there is no matching host policy on the responder, the IKE daemon logs an error in the audit

file and uses the default host policy. For IKEv1, the message is similar to the following:

Msg: 443 From: IKMPD Lvl: ERROR Date: Tue Mar 17 13:33:06 2009

Event: can't find matching selector

For IKEv2, the IKE daemon logs an error message similar to the following if it receives an IPsec

negotiation for which it has no matching host policy:

Msg: 357 From: IKMPD Lvl: ERROR Date: Wed Mar 4 18:54:01 2009

Event: local ? - remote ?:ts unacceptable

• Use the ipsec_report -cache command to determine the action selected for a given

packet. If the packet did not match any configured policies and you are using the default host

policy shipped with the product, the cache entry for the packet will show the action PASS.

Check the following items in the host policies:

• source and destination descriptors

• priority

• transform list and lifetimes

Check the audit files for additional information. The audit file entries differ according to the IKE

version used.

IKEv1 IPsec SA Error

The following audit file entries indicate that the responder rejected the IPSec SA negotiation because

the initiator proposed an ESP transform with the AES encryption method, but the responder is

configured to use 3DES:

Msg: 622 From: IKMPD Lvl: WARNING Date: Tue Mar 17 12:42:55 2009

Event: trns_id mismatched: my:3DES peer:AES

Msg: 623 From: IKMPD Lvl: ERROR Date: Tue Mar 17 12:42:55 2009

Event: not matched

Msg: 624 From: IKMPD Lvl: ERROR Date: Tue Mar 17 12:42:55 2009

Event: no suitable policy found.

IKEv2 IPsec SA Error

The following responder audit file entry indicates that the none of the IPsec SA proposals matched:

Msg: 412 From: IKMPD Lvl: ERROR Date: Tue Mar 17 13:08:36 2009

Event: local ? - remote ?:no proposal chosen

134 Troubleshooting HP-UX IPSec