Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Chapter 5 Troubleshooting HP-UX IPSec

Troubleshooting Hints
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Procedures to obtain basic troubleshooting information are shown below. These procedures include a status check using the ipsec_admin and ipsec_report commands, isolating upper-layer problems, checking the policy configuration, and configuring HP-UX IPSec auditing.

Status Check

HP-UX IPSec has five main modules:

  • IKE (ISAKMP/Oakley) daemon (ikmpd)

  • Policy daemon (secpolicyd)

  • Audit daemon (secauditd)

  • Kernel Policy engine

  • Kernel Security Association engine

The following command verifies the status of these modules:

ipsec_admin -status

This command sends status check messages to the IPSec daemons and checks kernel parameters to see if the kernel IPSec components are enabled.

You can also use the following command to get status information:

ipsec_report -all

This command will show some HP-UX IPSec activity even if there is no peer system running HP-UX IPSec. It will:

  • Query the policy daemon and report the IPSec and ISAKMP policies that have been configured by the user and loaded by the policy daemon. You can also do this by entering the following command:

    ipsec_report -policy.

  • Query the kernel policy engine and report the contents of its cache. The cache records the most recent decisions that the kernel policy engine has made for the traffic that has passed in and out of the system. If there is no IPSec peer, the kernel policy engine still reports all packets that have been sent or received by the system (including broadcast packets) by five-tuple (source IP address, destination IP address, protocol, source port, destination port) and the action taken—even if the action was to pass the packet in clear text, according to the configuration. You can also do this by entering the following command:

    ipsec_report -cache

  • Query the IKE daemon for ISAKMP/MM SAs. If there is no peer IPSec system or no IPSec traffic, the IKE daemon will respond that there are no ISAKMP/MM SAs to report. You can also do this by entering the following command:

    ipsec_report -mad

  • Query the kernel Security Association (SA) engine for active IPSec/QM SAs on this system. If there is no peer IPSec system and/or no active IPSec/QM SAs, the kernel SA engine will respond that there are no IPSec/QM SAs to report. You can also do this by entering the command:

    ipsec_report -sad

  • Format and display the contents of the current audit file. You can also do this by entering the following command:

    ipsec_report -audit audit_file

Isolating HP-UX IPSec Problems from Upper-layer Problems

If you are unsure whether an application problem is being caused by HP-UX IPSec, you can still enable layer 4 (TCP, UDP, IGMP) tracing. This will capture outbound data packets before they are encrypted by HP-UX IPSec and inbound packets after they are decrypted by HP-UX IPSec.

Because layer 4 tracing provides a possible security breach, it is disabled when HP-UX IPSec is started and can only be enabled using the ipsec_admin utility, which requires root capability and the HP-UX IPSec administrator password.

To enable layer 4 tracing, use the following command:

       ipsec_admin -traceon [ tcp | udp | igmp | all ]

Tracing output will go to /var/adm/ipsec/nettl.TRC0 and /var/adm/ipsec/nettl.TRC1 if nettl tracing is not already enabled. If it is, the trace files will be those already in use by nettl.

Checking Policy Configuration

You can use the ipsec_policy command to check which IPSec policy will be used for a given outbound packet. For example, on system 15.1.1.1, first determine which policy would be used for outbound telnet requests to 15.2.2.2. Use the following command:

ipsec_policy -sa 15.1.1.1 -sp 1024 -da 15.2.2.2 -dp 23
-p tcp

Next, determine which policy would be used for inbound telnet requests to 15.1.1.1 from system 15.2.2.2. Use the following command:

ipsec_policy -sa 15.1.1.1 -sp 23 -da 15.2.2.2 -dp 1024
-p tcp

Note that since ipsec_policy can only be used for outbound packets, the source IP address (-sa) in both examples is the address of the system on which the administrator is executing ipsec_policy (15.1.1.1). Refer to the ipsec_policy(1M) man page.

NOTE: Both examples shown above include a dummy user-space port number (1024) for the client port.

Configuring HP-UX IPSec Auditing

Follow the steps below to record HP-UX IPSec audit trail security activity.

  1. Determine the name of the audit directory if you do not wish to use the default. The default directory is /var/adm/ipsec/.

  2. Determine the audit level for the HP-UX IPSec subsystem. The default audit level is Error. The Error audit level provides notification of Alert and Error events. The other audit levels are: Alert, Warning and Informative. Refer to the ipsec_admin(1M) man page online or in Appendix D “Configuration Reference” for a detailed description of each audit level.

  3. At the HP-UX prompt, set the auditing parameters by running:

    ipsec_admin -au audit_directory -al audit_level

    where audit _level can be alert, error, warning, or informative. A selected audit level includes all the previous audit levels.

    The audit levels are shown in ascending order. If you set the audit level to a higher level, all lower levels are also included. For example, if you set the audit level to informative, the audit daemon also records all alert, error and warning messages.The default audit level is error, which includes alert messages.

    The informative audit level will generate numerous entries and should only be set for troubleshooting.

    Audit Files and Directory

    By default, the audit daemon will create a new audit file when the size reaches 100 Kbytes. The audit daemon will continue creating new audit files until the file system for the audit directory are full. For this reason, you may want to mount the audit directory on a separate file system.The default audit directory is /var/adm/ipsec.

    Displaying Audit Files

    You must use the ipsec_report utility to view audit files.First, determine the current audit file: ipsec_admin -status

    Then use the -audit option of ipsec_report to display the file:

            ipsec_report -audit audit_file



Troubleshooting Utilities Overview
  		 


Reporting Problems  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.