topic IPSec Does not respond in Operating System - HP-UX

IPSec Does not respond

Srinivas_3 — Mon, 22 Apr 2002 05:24:41 GMT

While the system is running, suddenly IPSec stops responding. So from one system we can not telnet to another system on IPSec encrypted port. IPSec audit log normally drops errors like!
Msg: 4 From: IKMPD Lvl: ERROR Date: Mon Jan 21 16:59:07 2002
Event: Error processing SA payload
Msg: 1 From: IKMPD Lvl: ERROR Date: Mon Jan 21 16:59:07 2002
Event: IPSEC_RULE request timeout, seq 202708
.......
.......

Is there any document where we can refer the meaning of these errors.

Re: IPSec Does not respond

Steven Sim Kok Leong — Mon, 22 Apr 2002 05:37:20 GMT

Hi,

The negotiation and key exchange over IKE SA is via the ISAKMP protocol at service port 500. This is always performed before the IPSEC SA can be created and used.

From the error messages you got, I would guess that this IKE SA negotiation probably failed.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: IPSec Does not respond

Clemens van Everdingen — Mon, 22 Apr 2002 05:50:04 GMT

Hi,

Here is some documentation !

http://docs.hp.com/hpux/internet/index.html#IPSec/9000

http://docs.hp.com/hpux/pdf/J4255-90011.pdf

Regards,
C.

Re: IPSec Does not respond

Srinivas_3 — Mon, 22 Apr 2002 05:50:05 GMT

What could be the reasons for the key negotiations to fail?

Re: IPSec Does not respond

Clemens van Everdingen — Mon, 22 Apr 2002 05:53:38 GMT

Hi,

Did you use the ipsec_admin ???status
command to see if all processes are running ?

Should look like this:

# ipsec_admin - status

----------------- IPSec Status Report -----------------

secauditd program: Running and responding

secpolicyd program: Running and responding

ikmpd program: Running and responding

IPSec kernel: Up

IPSec Audit level: Error

IPSec Audit file: /var/adm/ipsec/auditTue-Jul-17-11-28-29-2001.log

Max Audit file size: 100 KBytes

IPSec Policy file: /var/adm/ipsec/policies.txt

Level 4 tracing: None

-------------- End of IPSec Status Report -------------

Possible a restart will solve the issue.

C.

Re: IPSec Does not respond

Srinivas_3 — Mon, 22 Apr 2002 06:03:17 GMT

Restarting IPSec and flushing the SA and plicies etc.. are tried, but as it is on production systems, the web application keep failing because IPSec configured ports are not responding. So I want to know why this error comes frequently and what is the remedy.

Re: IPSec Does not respond

Clemens van Everdingen — Mon, 22 Apr 2002 06:25:44 GMT

Hi,

You could turn tracing on to see what happens.

-----------------------------------------------
IPSec tracing

If the problem may be caused by the transport or application layer, enable layer four

tracing, recreate the problem, then disable tracing. Trace output will be sent to

/var/adm/ipsec/nettl.TRC0. You may trace TCP, UDP, IGMP or all. Typical netfmt

options can be used to format the output.

# ipsec_admin -traceon all

IPSEC_ADMIN: Please enter the IPSec password: ***************

IPSEC_ADMIN: WARNING-Enabling any Level 4 tracing (TCP, UDP, or IGMP) started

IPSEC_ADMIN: WARNING-by ipsec_admin. Ignore following nettl msg(s) if any.

IPSEC_ADMIN: Level 4 tracing successfully enabled for TCP, UDP, and IGMP.

# ipsec_admin -tf all

IPSEC_ADMIN: Please enter the IPSec password: ***************

IPSEC_ADMIN: WARNING-Disabling any Level 4 tracing (TCP, UDP, or IGMP) started

IPSEC_ADMIN: WARNING-by ipsec_admin. Ignore following nettl msg(s) if any.

IPSEC_ADMIN: Level 4 tracing successfully disabled for TCP, UDP, and IGMP.

C.