HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

131

132

133

134

135

136

137

138

139

140

The audit file on the initiator shows the following entries:

Msg: 647 From: IKMPD Lvl: INFORMATIVE Date: Tue Mar 17 13:09:42 2009

Event: received notify type NO_PROPOSAL_CHOSEN

Msg: 648 From: IKMPD Lvl: ERROR Date: Tue Mar 17 13:09:42 2009

Event: local 10.1.1.1/500 - remote 10.2.2.2/500:message lacks IDr

payload

IKE Primary Authentication Fails with Certificates

Problem

Certificate-based (RSA signature) primary authentication fails.

Symptoms

For IKEv1, output from the ipsec -sa ike command does not show the IKEv1 SA.

For IKEv2, output from the ipsec -sa ike command does not show the IKEv2 SA. However,

this does not always indicate that the IKEv2 SA negotiation failed. See “Determining if the IKEv2

SA Negotiation Succeeded” (page 131) for information on determining if the IKEv2 SA was

established.

Solution

Check the audit file for an expired certificate, revoked certificate, or certificate encoding problems.

Try preshared key authentication.

Enter the ipsec_config show mycert command and check the certificate for the local system.

Enter the ipsec_config show cacert command and check that there is a valid certificate for

each CA and a valid CRL issued by each CA. The certificates and CRLs are stored in the /var/

adm/ipsec/certstore directory.

Check that the /var/adm/ipsec/cainfo.txt file is present.

Details

Check the audit log for messages indicating that the certificate for the local or remote system is

expired, revoked, or has X.509 encoding errors.

If the audit level is set to informative or higher, you will see the following message when HP-UX

IPSec starts and the local certificate is valid:

Msg: 4 From: IKMPD Lvl: INFORMATIVE Date: Tue Feb 24 22:40:32 2009

Event: Either certificate or preshared key can be used for authentication.

If you see the message Only preshared key can be used for authentication, then

the IKE daemon was unable to validate the local certificate.

You can also try using preshared keys for primary authentication. You will need to configure the

same preshared key on both systems.

Check that you have a certificate for the local system and for the root CA. If you are using chained

CAs, you must have a certificate for each CA in the authentication chain between the local system

and the remote system. Check that you have a CRL for each CA.

HP-UX IPSec stores certificate data in the /var/adm/ipsec/certstore directory. For a

description of the files, see “Certificate Storage” (page 112).

Check that the required files are present. If the mykey.pem file has been deleted and you cannot

restore it from backup media, you must create a new Certificate Signing Request and get a new

certificate.

You can use OpenSSL utilities to display more information about the certificate and CRL files. For

example, you can use the following command to display the information about the root CA

certificate:

Troubleshooting Scenarios 135