Troubleshooting Procedures

This section describes the following troubleshooting procedures:

Checking Status

HP-UX IPSec has five main modules:

IKE (ISAKMP/Oakley) daemon (ikmpd)
Policy daemon (secpolicyd)
Audit daemon (secauditd)
Kernel Policy engine
Kernel Security Association engine

The following command verifies the status of these modules:

ipsec_admin -status

This command sends status check messages to the IPSec daemons and checks kernel parameters to see if the kernel IPSec components are enabled.

You can also use the following command to get status information:

ipsec_report -all [-file filename]

This command will show some HP-UX IPSec activity even if there is no peer system running HP-UX IPSec. The -file option saves the output to the specified filename. This command performs the following tasks:

Queries the kernel Security Association (SA) engine for active IPSec/QM SAs on this system. If there is no peer IPSec system and/or no active IPSec/QM SAs, the kernel SA engine will respond that there are no IPSec/QM SAs to report. You can also do this by entering the command:
ipsec_report -sad
Queries the IKE daemon for ISAKMP/MM SAs. If there is no peer IPSec system or no IPSec traffic, the IKE daemon will respond that there are no ISAKMP/MM SAs to report. You can also do this by entering the following command:
ipsec_report -mad
Queries the policy daemon and reports the IKE policies. You can also do this by entering the following command:
ipsec_report -ike
Queries the policy daemon and reports the configured host IPSec policies. You can also do this by entering the following command:
ipsec_report -host configured
Queries the policy daemon and reports the active host IPSec policies. To create the list of active host IPSec policies, the policy daemon expands configured host IPSec policies with wildcard and subnet specifications for the active IP interfaces (configured UP or DOWN, plumbed) on the local system. The policy daemon also creates active host IPSec policies as needed for active traffic by expanding remote IP address specifications and any other wildcard field values. You can also do this by entering the following command:
ipsec_report -host [active]
Queries the policy daemon and reports the active gateway IPSec policies. You can also do this by entering the following command:
ipsec_report -gateway [active]
Queries the policy daemon and reports the tunnel IPSec policies. You can also do this by entering the following command:
ipsec_report -tunnel
Queries the policy daemon and reports the interfaces in the bypass list. You can also do this by entering the following command:
ipsec_report -bypass
Queries the policy daemon and reports the active (configured UP or DOWN, plumbed) IP interfaces, and whether or not HP-UX IPSec is enabled for each interface. You can also do this by entering the following command:
ipsec_report -ip
Queries the kernel policy engine and reports the contents of its cache. The cache records the most recent decisions that the kernel policy engine has made for the traffic that has passed in and out of the system. If there is no IPSec peer, the kernel policy engine still reports decisions for packets that have been sent or received by the system (including broadcast packets) by five-tuple (source IP address, destination IP address, protocol, source port, destination port) and the action taken—even if the action was to pass the packet in clear text, according to the configuration. You can also do this by entering the following command:
ipsec_report -cache
Format and display the contents of the current audit file. You can also do this by entering the following command:
ipsec_report -audit audit_file

Isolating HP-UX IPSec Problems from Upper-layer Problems

If you are unsure whether an application problem is being caused by HP-UX IPSec, you can still enable layer 4 (TCP, UDP, IGMP) tracing. This will capture outbound data packets before they are encrypted by HP-UX IPSec and inbound packets after they are decrypted by HP-UX IPSec.

Because layer 4 tracing provides a possible security breach, it is disabled when HP-UX IPSec is started and can only be enabled using the ipsec_admin utility, which requires root capability and the HP-UX IPSec administrator password.

To enable layer 4 tracing, use the following command:

ipsec_admin -traceon [ tcp | udp | igmp | all ]

Tracing output will go to /var/adm/ipsec/nettl.TRC0 and /var/adm/ipsec/nettl.TRC1 if nettl tracing is not already enabled. If it is, the trace files will be those already in use by nettl.

Checking Policy Configuration

There are two methods for determining which policy HP-UX IPSec uses for a packet:

Use the ipsec_policy command to query the policy daemon to determine which policy HP-UX IPSec would use for the packets.
Generate packets and examine policy cache and policy entries to determine which policy HP-UX IPSec used for the packets.

Using ipsec_policy

Use the ipsec_policy command to determine which IPSec policy will be used for a given packet. For example, on system 15.1.1.1, you want to determine which host policy HP-UX IPSec will use for outbound telnet requests to 15.2.2.2 (the local system 15.1.1.1 is the telnet client). Use the following command:

ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2 -dp 23 -p tcp -dir out

To determine which host policy HP-UX IPSec will use for inbound telnet requests to 15.1.1.1 from system 15.2.2.2 (the local system 15.1.1.1 is the telnet server), you can use the following command:

ipsec_policy -da 15.1.1.1 -dp 23 -sa 15.2.2.2 -sp 65535 -p tcp -dir in

Refer to the ipsec_policy(1M) manpage for more information.




	NOTE: Both examples shown above include a dummy user-space port number (65535) for the client port.

Examining the Policy Cache and Policy Entries

To determine the actual IPSec policy used for a packet, examine the output from the ipsec_report -cache command to find the cached policy decision for the packet, then use the Cookie field from the ipsec_report -cache entry to find the matching entry in the ipsec_report -host output. The cache entry below is for an attempted outbound telnet session from system 192.1.1.1 to system 192.1.1.3. The host policy on 192.1.1.1 is misconfigured, so the system sends the packets in clear text. The output from the ipsec_report -cache command shows the following entry:

-------------------Cache Policy Rule -----------------------
Cache Policy Record: 9    Cookie: 1
Src IP Address: 192.1.1.1   	Src Port number: 56122
Dst IP Address: 192.1.1.3	   Dst Port number: 23
Network Protocol: TCP    Direction: outbound
Action: Pass

The output from the ipsec_report -host command shows the following entry. In this configuration, Cookie 1 corresponds to the default host IPSec policy, with the action PASS.

---------------- Active Host Policy Rule -------------------
Rule Name: default      ID: 1     Cookie: 1
Action: Pass

Configuring HP-UX IPSec Auditing

You can configure or set the following HP-UX IPSec audit parameters:

audit level
audit directory
maximum audit file size

You can change the audit parameters while HP-UX IPSec is active using the ipsec_admin command. To change the audit parameters used every time HP-UX IPSec starts, use the ipsec_config add startup command. You can also specify audit parameters with the ipsec_admin start command.

Audit Level

The HP-UX IPSec audit levels are defined as follows:

alert: Alert audit entries report events that may require administrator attention, including security violations and attacks, password violations, errors that may prevent correct operation of the product, any error condition that is not recoverable, authentication problems, significant changes in security parameters, unknown message types, and changing of the HP-UX IPSec password or audit level.
error: Error audit entries report error events including recoverable error conditions, syntax errors, unsupported features, bad packets, and unknown message types.
warning: Warning audit entries report non-intrusive security events.
informative: Informative audit entries provide detailed event logging for troubleshooting.
debug: Debug audit entries provide very detailed event logging for debugging and troubleshooting.




	NOTE: Setting the audit level to `informative` or `debug` generates numerous audit entries. You should set the audit level to `informative` or `debug` for troubleshooting only.

The audit levels are shown in ascending order. If you set the audit level to a higher level, all lower levels are also included. For example, if you set the audit level to informative, the audit daemon also records all alert, error and warning messages. The default audit level is error, which includes alert messages.

Audit Files and Directory

By default, the audit daemon will create a new audit file when the size reaches 100 Kbytes. The audit daemon will continue creating new audit files until the file system for the audit directory are full. For this reason, you may want to mount the audit directory on a separate file system.The default audit directory is /var/adm/ipsec.

Audit File Size

To change the maximum audit file size, use the following command:

ipsec_admin -m[axsize] max_audit_file_size

The max_audit_file_size is specified in kilobytes.

Dynamically Setting Audit Parameters

If HP-UX IPSec is running, you can dynamically set the audit parameters by entering the following command:

ipsec_admin [-al audit_level] [-au audit_directory]
[-maxsize max_size]

audit _level can be alert, error, warning, informative, or debug. A selected audit level includes all the lower audit levels.

audit_directory is the fully-qualified path name for the audit directory.

max_size is the maximum size for each audit file, in kilobytes. The range is 1 - 4294967294.

Configuring Startup Audit Parameters

To set the audit parameters used every time HP-UX IPSec starts, modify the startup record in the configuration database by entering a command similar to the following:

ipsec_config add startup [-autoboot ON|OFF]
[-auditlvl audit_level] [-auditdir audit_directory]
[-maxsize max_size] ...

audit _level can be alert, error, warning, informative, or debug. A selected audit level includes all the lower audit levels.

audit_directory is the fully-qualified path name for the audit directory.

max_size is the maximum size for each audit file, in kilobytes. The range is 1 - 4294967294.

When you modify startup parameters in the configuration database, the changes do not take effect until the next time HP-UX IPSec starts.

The startup configuration object includes other operating parameters. Any parameters you do not specify are re-set to the default values, including the autoboot flag, which determines if HP-UX IPSec starts automatically at system startup time. To configure HP-UX IPSec to start automatically at system startup time, include the option -autoboot ON in the ipsec_config add startup command.

Viewing Audit Files

You must use the ipsec_report utility to view audit files.First, determine the current audit file: ipsec_admin -status

Then use the -audit option of ipsec_report to display the file:

ipsec_report -audit audit_file

Filtering Audit File Output by Entity

You can filter the audit file output so ipsec_report shows only entries recorded by specified entities.

ipsec_report -audit audit_file -entity entity_name [entity_name ...]

where entity_name is one of the following names:

ikmpd
ipsec_admin
ipsec_config
ipsec_mgr
ipsec_policy
ipsec_report
secauditd
secpolicyd




	TIP: When troubleshooting problems with establishing SAs, set the audit level to `informative`. If you know which policy HP-UX IPSec is using, you can specify `-entity ikmpd` when displaying the audit file contents to view only the IKE audit entries.