Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
131132133134135136137138139140
Msg: 55 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 12:14:42 2004
Event: Kernel Policy Cache Threshold exceeded nnnn
records.
where nnnn is the hard limit.
Solution
Use the following ipsec_config commands to set and configure new SPD soft and hard limits:
ipsec_config add startup -spd_soft spd_soft_limit
ipsec_config add startup -spd_hard spd_hard_limit
The spd_soft_limit and spd_hard_limit are specified in units of 1000 entries. Refer to
the ipsec_config(1M) manpage for more information.
You can also use the ipsec_admin -start -spd_soft spd_soft_limit and
ipsec_admin -start -spd_hard spd_hard_limit commands to set new SPD soft and
hard limits at system startup time. Refer to the ipsec_admin(1M) manpage for more information.
ipsec_report –sa display of the phase2 associations will not reflect the key length of AES transform
combination
Problem
ipsec_report –sa display of the phase2 associations will not reflect the key length of AES transform
combination.
Symptom
When ESP_AES256_HMAC_SHA1 is used, ipsec_report –sa does not display the key length of
the AES transform.
For example
------------------------ IPSec SA ------------------------
Sequence number: 1
SPI (hex): 6F128 State: MATURE
SA Type: ESP with AES-CBC encryption and HMAC-SHA1 authentication
Src IP Addr: 192.168.2.1 Dst IP Addr: 192.168.2.2
--- Current Lifetimes ---
bytes processed: 288
addtime (seconds): 6
usetime (seconds): 6
--- Hard Lifetimes ---
bytes processed: 0
addtime (seconds): 28800
usetime (seconds): 0
--- Soft Lifetimes ---
bytes processed: 0
addtime (seconds): 23591
usetime (seconds): 0
Solution
In the IPSec core kernel, when the SA forms, there is unavailability of required parameters that
should be passed to ipsec_report command for it to differentiate between
AES128/AES192/AES256.
However, as a workaround customer can use ipsec_policy command to see the encryption algorithm
being used in phase 2.
For example
$ ipsec_policy -sa 192.168.2.1 -da 192.168.2.2 -dir out
------------------- Active Host Policy Rule ---------------------
Rule Name: longevity_3 Priority: 7 Cookie: 7
138 Troubleshooting HP-UX IPSec