HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

191

192

193

194

195

196

197

198

199

200

0x0123456789012345678901234567890123456789/\

0x12345678901234567890123456789012 \

-in ESP/2500003/\

0x1234567890123456789012345678901234567890/\

\0x12345678901234567890123456789012

Troubleshooting Manual Key Problems

Troubleshooting manual key problems can be difficult because there are no IKE negotiations and

no IKE audit messages.

Symptoms

Link errors (unable to connect ) and timeouts. The output from the ipsec_report -sa

ipsec command shows the SAs, but attempts to exchange data with the remote system fail.

The audit file may show errors when HP-UX IPSec starts or when a manual key is added such as

PF_KEY: SADB_ADD for SPI 0xnnnn returns EEXIST and PF_KEY: Invalid

SADB_ADD, SPI 0xnnnn , errno 22 .

If the HP-UX IPSec audit level is set to warning or higher, the audit file may show entries such as

No SPI for received packet.

STREAMS log records may show entries from HP-UX IPSec STREAMS modules (ipsec_aaaa ),

such as Bad cipher SA init or Padding checks failed .

Solutions

Check the manual key configuration. Check that the local inbound SA descriptor (SPI, transform

type, authentication key, encryption key, and initialization vector) matches the remote outbound

SA descriptor (on the remote system). Check that the local outbound SA descriptor matches the

remote inbound SA descriptor (on the remote system).

SADB_ADD for SPI 0xnnnn returns EEXIST

If the audit file contains an error message similar to the one below, you are attempting to add a

manual key with an SPI that is already allocated:

Msg: 178 From: SECPOLICYD Lvl: ERROR Date: Thu Jun 24 09:45:17 2004

Event: PF_KEY: SADB_ADD for SPI 0x201 returns EEXIST

In the above example, the user tried to add a manual key with inbound SPI 513 (0x201). The

secure policy daemon had already allocated inbound SPI 513 for a dynamic key SA, and when

the daemon received the request to add the manual key SA with the same SPI, it logged the above

error and did not add the manual key SA.

Change the manual key SPI. Verify that the SPIs are unique and are not within the range for dynamic

key SPI numbers. The default range for dynamic key SPI numbers is 300 - 2500000. See the

ipsec_config(1M) manpage for more information on changing the dynamic key SPI range.

Invalid SADB_ADD

If the audit file contains the error message similar to the one below, HP-UX IPSec may be rejecting

an encryption key because it is too weak (not sufficiently random):

PF_KEY: Invalid SADB_ADD, SPI 0xnnnn , errno 22

Verify that the SPI number in the audit message matches a manual key SPI. Examine the STREAMS

log messages to verify that the error is caused by a weak encryption key, as described in “Examining

STREAMS Logging Records” (page 193). See Appendix F, “Selecting Encryption Keys” (page 191)

for information on generating strong encryption keys.

STREAMS Logging Messages and Additional Audit File Entries

In most cases, little information is logged when manual keys fail because there is no IKE or IPsec

SA negotiation. The ipsec_report -sa ipsec and ipsec_report -host active output

show the SAs when the SA information is added to the runtime database, even if the SAs are not

192 Using Manual Keys