Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 2 Troubleshooting IPSec/9000

Troubleshooting Hints
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Procedures to obtain basic troubleshooting information are shown below. These procedures include a status check using the ipsec_admin and ipsec_report commands, isolating upper-layer problems, checking the policy configuration, and configuring IPSec/9000 auditing.

Status Check

IPSec/9000 has five main modules:

  • IKE (ISAKMP/Oakley) daemon (ikmpd)

  • Policy daemon (secpolicyd)

  • Audit daemon (secauditd)

  • Kernel Policy engine

  • Kernel Security Association engine

The following command verifies the status of these modules:

ipsec_admin -status

This command sends status check messages to the IPSec daemons and checks kernel parameters to see if the kernel IPSec components are enabled.

You can also use the following command to get status information:

ipsec_report -all

This command will show some IPSec/9000 activity even if there is no peer system running IPSec/9000. It will:

  • Query the policy daemon and report the IPSec and ISAKMP policies that have been configured by the user and loaded by the policy daemon. (You can also do this by entering the command: ipsec_report -policy.)

  • Query the kernel Policy Engine and report the contents of its cache. The cache records the most recent decisions that the kernel policy engine has made for the traffic that has passed in and out of the system. If there is no IPSec peer, the kernel policy engine still will report all the packets that have been sent or received by the system (including broadcast packets) by five-tuple (source IP addr, destination IP addr, protocol, source port, destination port) and the action taken--even if the action was to pass the packet in clear text, according to the configuration. (You can also do this by entering the command: ipsec_report -cache.)

  • Query the IKE daemon for ISAKMP SAs. If there is no peer IPSec system or no IPSec traffic, the IKE daemon will respond that there are no ISAKMP SAs to report. (You can also do this by entering the command: ipsec_report -mad.)

  • Query the kernel Security Association (SA) engine for active IPSec SAs on this system. If there is no peer IPSec system and/or no active IPSec SAs, the kernel SA engine will respond that there are no IPSec SAs to report. (You can also do this by entering the command: ipsec_report -sad.)

  • Format and display the contents of the current audit file. (You can also do this using the command: ipsec_report -audit audit_file.)

Isolating IPSec/9000 Problems from Upper-layer Problems

If you are unsure whether an application problem is being caused by IPSec/9000, you can still enable layer 4 (TCP, UDP, IGMP) tracing. This will capture outbound data packets before they are encrypted by IPSec/9000 and inbound packets after they are de-crypted by IPSec/9000.

Because layer 4 tracing provides a possible security breach, it is disabled when IPSec/9000 is started and can only be enabled using the ipsec_admin utility, which requires root capability and the IPSec/9000 Administrator's password.

To enable layer 4 tracing, use the following command:

ipsec_admin -traceon [ tcp | udp | igmp | all ]

Tracing output will go to /var/adm/ipsec/nettl.TRC0 and /var/adm/ipsec/nettl.TRC1 if nettl tracing is not already enabled. If it is, the trace files will be those already in use by nettl.

Checking Policy Configuration

You can use the ipsec_policy command to check which IPSec policy will be used for a given outbound packet. For example, on system 15.1.1.1, you first want to determine which policy would be used for outbound telnet requests to 15.2.2.2, you would use the following command:

ipsec_policy -sa 15.1.1.1 -sp 1024 -da 15.2.2.2 -dp 23 -p tcp

Next, to determine which policy would be used for inbound telnet requests to 15.1.1.1 from system 15.2.2.2, you could use the following command:

ipsec_policy -sa 15.1.1.1 -sp 23 -da 15.2.2.2 -dp 1024 -p tcp

Note that since ipsec_policy can only be used for outbound packets, the source IP address (sa) in both examples is the address of the system on which the administrator is executing ipsec_policy (15.1.1.1). Refer to the ipsec_policy(1M) man page.

NOTE: Both examples shown above include a dummy user-space port number (1024) for the client port.

Configuring IPSec/9000 Auditing

Follow the steps below to record IPSec/9000 audit trail security activity.

  1. Determine the name of the audit directory if you do not wish to use the default. The default directory is /var/adm/ipsec/.

  2. Determine the audit level for the IPSec/9000 subsystem. The default audit level is Error. The Error audit level provides notification of Alert and Error events. The other audit levels are: Alert, Warning and Informative. Refer to the ipsec_admin man page later in this chapter for a detailed description of each audit level.

  3. At the HP-UX prompt, set the auditing parameters by running:

    ipsec_admin -au audit_directory -al audit_level

    where audit _level can be alert, error, warning, or informative. A selected audit level includes all the previous audit levels.

    The audit levels are shown in ascending order. If you set the audit level to a higher level, all lower levels are also included. For example, if you set the audit level to informative, the audit daemon also records all alert, error and warning messages.The default audit level is error, which includes alert messages.

    The informative audit level will generate numerous entries and should only be set for troubleshooting.

    Audit Files and Directory

    By default, the audit daemon will create a new audit file when the size reaches 100 Kbytes. The audit daemon will continue creating new audit files until the file system for the audit directory are full. For this reason, you may want to mount the audit directory on a separate file system.The default audit directory is /var/adm/ipsec.

    Displaying Audit Files

    To view them, you must use the ipsec_report utility to decrypt them.First, determine the current audit file: ipsec_admin -statusThen use the -audit option of ipsec_report to display the file:

    ipsec_report -audit audit_file



Tools Survey
  		 


Reporting Problems  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.