Troubleshooting Utilities Overview

HP-UX IPSec provides three troubleshooting utilities:

ipsec_admin: Returns status information and allows the administrator to change the audit level, audit file directory, audit file size, and enable or disable level 4 (TCP, UDP, IGMP) data tracing.
ipsec_policy: Allows the administrator to determine which IPSec policy will be used for a given packet.
ipsec_report: Reports HP-UX IPSec operating parameters and displays the contents of audit files. The output can be displayed to stdout or sent to a file.

Refer to the online manpages for above utilities for more information on how to use these utilities and how to interpret the output from them. The sections that follow describe common tasks and the commands to perform them:

Getting General Information

Table 5-1 Getting General Information

Task	Command
Get status of HP-UX IPSec components.	`ipsec_admin -status`
Show all active and configured IPSec policies, IKE policies, cache entries, SAs, active IP interfaces, bypass interfaces, and display current audit file.	`ipsec_report -all`

Getting SA Information

Table 5-2 Getting SA Information

Task	Command
Show current ISAKMP (Main Mode) SAs.	`ipsec_report -mad`
Show current IPSec SAs.	`ipsec_report -sad`

Getting Policy Information

Table 5-3 Getting Policy Information

Task	Command
Determine which IPSec policy matches a packet.	`ipsec_policy`
Show host IPSec policies in the configuration database.	`ipsec_config show host`
Show active host IPSec policies.	`ipsec_report -host ipsec_report -host [active]`
Show configured host IPSec policies in the policy database.	`ipsec_report -host configured`
Show gateway IPSec policies in the configuration database.	`ipsec_config show gateway`
Show active gateway IPSec policies.	`ipsec_report -gateway ipsec_report -gateway [active]`
Show configured gateway IPSec policies in the policy database.	`ipsec_report -gateway configured`
Show tunnel IPSec policies in the configuration database.	`ipsec_config show tunnel`
Show all tunnel IPSec policies in the policy database.	`ipsec_report -tunnel`
Show IKE policies in the configuration database.	`ipsec_config show ike`
Show IKE policies loaded by policy daemon.	`ipsec_report -ike`
Show current policy decisions cached by the kernel policy engine.	`ipsec_report -cache`

Getting Interface Information

Table 5-4 Getting Interface Information

Task	Command
Show active IP (configured, `UP` or `DOWN`) interfaces, and whether or not HP-UX IPSec is enabled for each interface.	`ipsec_report -ip`
Show bypass list entries.	`ipsec_report -bypass`

Viewing and Configuring Audit Information

Table 5-5 Viewing and Configuring Audit Information

Task	Command
Display contents of the audit file.	`ipsec_report -audit audit_file [-entity entity_name [entity_name ...]` where `entity_name` is one of the following names: `ikmpd ipsec_admin ipsec_config ipsec_mgr ipsec_policy ipsec_report secauditd secpolicyd`
Get the name of the current audit file.	`ipsec_admin -status`
Change the audit level.	`ipsec_admin -auditlvl [alert\|error\|warning\| informative\|debug]`
Change the audit file directory.	`ipsec_admin -audit audit_directory`
Change the maximum audit file size (in kilobytes).	`ipsec_admin -m[axsize] max_audit_file_size`
Configure audit parameters for startup time.	`ipsec_config add startup argument_list`

Enabling and Disabling Tracing

Table 5-6 Enabling and Disabling Tracing

Task	Command
Enable level four data tracing.	`ipsec_admin -traceon [tcp\|udp\|igmp\|all]`
Disable level four data tracing.	`ipsec_admin -traceoff [tcp\|udp\|igmp\|all]`

Troubleshooting Utilities Overview

Technical documentation

» Table of Contents

» Glossary