B    IPsec Messages

You might see the following types of IPsec messages:

• Normal status messages

• Start-up error messages

• IKE negotiation error messages

• ipsecd daemon messages

B.1    Normal Status Messages

The following messages indicate IPsec is correctly installed and enabled:

IPSEC: Initializing engine

Explanation: The IPsec module has been loaded into the kernel and is being initialized.

IPSEC: Attaching to the TCP/IP stack

Explanation: The IPsec module is processing IP packets. The system is in IP secure mode.

IPSEC: Detaching from the TCP/IP stack

Explanation: The IPsec module is no longer processing IP packets. The system is no longer in IP secure mode.

B.2    Start-up Error Messages

This section contains general start-up error messages and manual key connection error messages.

B.2.1    General Start-Up Error Messages

The following error messages are issued to the screen or console or sent to the syslogd daemon:

Can not open connection with the packet processing engine.Check that the engine module is loaded into kernel, thedevice used on communication exists, and you havepermission to open that device. This process must be runon super-user privileges.

Explanation: Possible causes include:

• A daemon is already running.

• The /dev/ipsec_engine device special file has been removed.

• There is some problem with the installation of the IPsec subset.

Could not read configuration file `file': not reconfiguring

Explanation: IPsec was told to reconfigure, but one of the IPsec policy files is missing or not readable.

Could not start the cryptography system

Explanation: IPsec cannot start because it is unable to communicate with the Common Data Security Architecture (CDSA) subsystem. The CDSA subset might have been removed, or the CDSA libraries or databases might be corrupted.

Dropping IPprotocol packet source->dest proto:port->port

Explanation: The logging of packets that do not match any secure connection was enabled and IPsec received a packet that did not match any rule in the IPsec policy.

SPD: could not decode certificate `name': number

Explanation: The certificate file has an invalid format.

SPD: Could not decode local-address of connection `name'

Explanation: The local address for the connection is not a valid IPv4 or IPv6 address, subnet, or range.

SPD: Could not decode remote-address of connection `name'

Explanation: The remote address for the connection is not a valid IPv4 or IPv6 address, subnet, or range.

SPD: Could not handle local-address of type n for connection `name'

Explanation: The local address for the connection is not a valid IPv4 or IPv6 address, subnet, or range.

SPD: Could not handle remote-address of type n for connection `name'

Explanation: The remote address for the connection is not a valid IPv4 or IPv6 address, subnet, or range.

SPD: could not read certificate `name' of the connection `name'

Explanation: The certificate file cannot be read by root.

SPD: could not read CRL `name'

Explanation: A CA certificate is marked as having a Certificate Revocation List (CRL), but IPsec cannot read the CRL file.

SPD: could not read private key `name'

Explanation: IPsec could not read the private key file file. It must be readable by root and contain a valid private key.

SPD: Invalid local-gw specification id

Explanation: The local gateway specification is an invalid IPv4 or IPv6 address.

SPD: Invalid remote-gw specification id

Explanation: The remote gateway specification is an invalid IPv4 or IPv6 address.

SPD: local and remote selectors specify different IP protocol ID. Skipping connection `name'

Explanation: A connection specifies only a local IPv4 address and a remote IPv6 address or vice versa, which is invalid. The connection is ignored.

SPD: no certificate file name specified for the certificate `name'

Explanation: The file name in a certificate definition is invalid.

SPD: no private key file specified for the authentication certificate `name'

Explanation: You are using a certificate to authenticate this host, but did not specify a private key file. The private key file must be readable by root and contain a valid private key.

SPD: Policy not instantiated due to errors.

Explanation: Serious errors were found in the Security Policy Database (SPD) file; IPsec will not start with this security policy.

SPD: port selectors specified for protocol `proto' which is not TCP or UPD: port selectors ignored for connection `name'

Explanation: You specified a port number for the connection, but specified something other than TCP or UDP as the protocol.

SPD: the certificate `name' is a CA certificate but is not marked as trusted. The certificate is not configured in the certificate manager.

Explanation: The certificate has the internal attribute that says it is a CA certificate, but it is not marked as such in the IPsec configuration. The certificate will be ignored.

SPD: the private key `name' is broken

Explanation: IPsec could not read the private key file. The private key file must be readable by root and contain a valid private key.

SPD: the trusted certificate `name' does not contain the Basic Constraints extension. This is against RFC-2459. However, forcing the certificate as a point of trust because of the flag `trusted'.

Explanation: The certificate marked as a Certification Authority (CA) certificate does not have the internal attribute usually set in a CA certificate. It will still be trusted as a CA certificate.

B.2.2    Manual Key Connection Error Messages

The following error messages occur at start up since that is when the Security Associations (SAs) are created:

AH or ESP authentication key is not long enough for the specified algorithm at connection id

Explanation: The manual key specified in the connection does not have a valid length. Each cipher or HMAC algorithm has a specified key length.

ESP cipher key is not long enough for the specified algorithm at Connection id: got n, minimum n

Explanation: The manual key specified in the connection does not have a valid length. Each cipher or HMAC algorithm has a specified key length.

SPD: Algorithms for manually keyed connection id can not be determined. The proposal-list is missing, or it does not contain exactly one proposal.

Explanation: Manually keyed connections must have a proposal list with exactly one proposal. The proposal can be a chain, but must contain only one instance of each protocol (for example, AH, ESP, IPcomp). There must be an inbound and outbound key specified for each protocol.

SPD: invalid number of cipher or HMAC algorithm names in proposal `name' for manually keyed connection `name'

Explanation: The proposal does not have the required number of cipher or hashing algorithm names. Manually keyed connections must have a proposal list with exactly one proposal. The proposal can be a chain, but must contain only one instance of each protocol (for example, AH, ESP, IPcomp). There must be an inbound and outbound key specified for each protocol.

SPD: invalid number of compression algorithm names in proposal `name' for manually keyed connection `name'

Explanation: The proposal does not have the required number of compression algorithm names. Manually keyed connections must have a proposal list with exactly one proposal. The proposal can be a chain, but must contain only one instance of each protocol (for example, AH, ESP, IPcomp). There must be an inbound and outbound key specified for each protocol.

SPD: invalid number of HMAC names in proposal `name' for manually keyed connection `name'

Explanation: The proposal does not have the required number of hashing algorithm names. Manually keyed connections must have a proposal list with exactly one proposal. The proposal can be a chain, but must contain only one instance of each protocol (for example, AH, ESP, IPcomp). There must be an inbound and outbound key specified for each protocol.

SPD: invalid number of proposals in the proposal list `name' of the manually keyed connection `name'

Explanation: The specified proposal list does not have the required number of proposals. Manually keyed connections must have a proposal list with exactly one proposal. The proposal can be a chain, but must contain only one instance of each protocol (for example, AH, ESP, IPcomp). There must be an inbound and outbound key specified for each protocol.

SPD: invalid transform type in transform `name' for manually keyed connection `name'

Explanation: Manually keyed connections must have a proposal list with exactly one proposal. The proposal can be a chain, but must contain only one instance of each protocol (for example, AH, ESP, IPcomp). There must be an inbound and outbound key specified for each protocol.

SPD: The number of keys n for connection id does not match protocol count n

Explanation: The number of manual keys specified does not match the number of protocols specified in the connection. Manually keyed connections must have a proposal list with exactly one proposal. The proposal can be a chain, but must contain only one instance of each protocol (for example, AH, ESP, IPcomp). There must be an inbound and outbound key specified for each protocol.

SPD: too few keys for manually keyed connection `name'

Explanation: You did not specify the required number of keys for the connection. There must be an inbound and outbound key specified for each protocol.

SPI for connection id is not specified or is less than 256.

Explanation: The SPI value for one of the keys of this manually keyed connection is missing or invalid. Valid values are greater than 256.

Transport endpoints not specified for Connection id. For IKE these can be left out, but for manually keyed connection they must be present.

Explanation: You did not specify the local address, remote address, or both for the connection. All parameters for a manually keyed connection must be defined in the connection.

Truncating key name ciph len n to required n bits

Explanation: The manual key specified in the connection does not have a valid length. Each cipher or HMAC algorithm has a specified key length.

B.3    IKE Negotiation Messages

This section contains IKE Phase 1 and Phase 2 negotiation error messages.

B.3.1    Phase 1 Error Messages

The following messages are related to Phase 1 negotiation problems:

Can not decode certificate out from BER encoded blob. The certificate may be corrupt, or should be decoded to binary BER blob before inserting (file format may be wrong?).

Explanation: A certificate file specified in the security policy could not be read or was invalid. The certificate is ignored.

Can not decode CRL out from BER encoded blob. The CRL input may be corrupted, or should be decoded to binary BER blob before inserting (file format may be wrong?).

Explanation: A CRL file specified in the security policy could not be read or was invalid. The CRL is ignored.

Can not get policy for id <-> id

Explanation: The remote system started an IKE negotiation, but the local IKE could not find a policy that matched the remote system.

Can not get subject name from a CA certificate. This certificate is not usable as an IPsec authenticator, and is not inserted into local list of trusted roots.

Explanation: A CA certificate specified in the security policy does not have the correct information for use with IPsec.

Certificate contains bad IP address: length=n

Explanation: A certificate contains an invalid subjectAltName attribute that contains an IP address.

CRL issuer name does not appear at the CRL. Can not check the CRL validity. Discarding the CRL.

Explanation: A CRL file specified in the security policy could not be read or was invalid. The CRL is ignored.

CRL issuer public key was not found from the local database. Can not check the CRL validity. Discarding the CRL.

Explanation: The CA certificate associated with the CRL is not configured.

Phase-1 [<initiator/responder>] between id and id failed; reason

Explanation: IKE could not negotiate a Phase 1 SA for the specified reason.

Phase-1 lifetime is too short (prop=n, min=n)

Explanation: The Phase 1 lifetime contains an unreasonably short lifetime. The proposed lifetime will be replaced with the minimum value.

Phase-1 notify string "(size n bytes) from string:string for protocol=n spi(n)=string"

Explanation: The remote system sent a notify message indicating that it rejected or modified the IKE negotiation for the specified reason.

Policy manager didn't find private key

Explanation: IPsec did not find the matching private key for an authentication certificate. No private key file was configured or the wrong file was used.

Policy manager didn't find public key

Explanation: IKE could not find the correct public key to authenticate a certificate-based IKE exchange. The necessary certificate or CA certificate is not configured, or the certificate has the wrong identity.

Received error notify from remote address : reason. Deleting ISAKMP SA.

Explanation: The remote system sent a notify message indicating that it rejected the IKE negotiation for the specified reason.

Sending notification to remote-address : reason

Explanation: The local IKE has rejected or modified the IKE negotiation, and is sending a notification to the remote IKE.

SPD: Phase-1 policy; No security policy available.

Explanation: IKE is running and has received a message from a remote peer, but no valid local security policy has been loaded.

SPD rejected conn using selectors id <-> id

Explanation: An IKE negotiation was received, but there was no matching policy for the indicated remote address.

The Phase-1 remote id is not an IP-address, check the peer/gw address.

Explanation: The configured address is not an IP address. You must specify an IP address for selectors and gateway addresses. The IPsec policy must be modified.

B.3.2    Phase 2 Error Messages

The following messages are related to Phase 2 negotiation problems:

IKE Phase-2; Could not select any protocols from IPSEC SA n

Explanation: There is no common proposal for IPsec protection between the security policies on the local and remote node. One or the other needs to be modified.

IKE Quick-Mode negotiation between id <-> id failed: reason

Explanation: The negotiation of an IPsec SA failed for the specified reason.

Phase-2 [role] for id and id failed; reason.

Explanation: A Phase 2 negotiation between the specified systems (initiator and responder) failed for the reason indicated.

Phase-2 lifetime is too short, reset to min (prop=n, min=n)

Explanation: The remote system proposed an unreasonably short Phase 2 lifetime. A more reasonable minimum was used instead.

QM notification n (reason) (size n bytes) from remote-address for protocol=n spi(n)=spi-value

Explanation: The remote system sent a notify message indicating that it rejected or modified the Phase 2 negotiation for the specified reason.

Received responder lifetime notification: "life_secs=n, life_kbytes=n

Explanation: The remote system selected a different lifetime value for the Phase 2 SA.

Requested to delete SA protocol[spi-value]

Explanation: The remote system sent a request to delete the specified SA. This may indicate that the remote has shut down or stopped IPsec processing.

SA-per-host specified and the remote requested addresses range or subnet -> rejecting connection.

Explanation: The local policy specifies that a unique SA be created for each host that matches the connection rule. The remote policy, however, wants to use a single SA for all matching hosts.

SA-per-host specified without remote addresses given and the remote did not request QM for itself -> rejecting connection.

Explanation: The local policy allows any authenticated remote host to use this connection. To do this securely, the remote policy must negotiate an SA only for its own address. This prevents remote VPN gateways from claiming packets that they are not supposed to receive.

The bundle n to be installed does not contain any inbound SA's. Not installing it.

Explanation: Some problem with the Phase 2 negotiation prevented its completion, so no SAs are created. This problem can also occur with manually keyed connections that contain errors.

The bundle n to be installed does not contain any outbound SA's. Not installing it.

Explanation: Some problem with the Phase 2 negotiation prevented its completion; no SAs are created. This problem can also occur with manually keyed connections that contain errors.

Tunnel endpoints not specified for Connection id

Explanation: IKE could not select default values for the secure gateway addresses in the specified connection. One or both of the secure gateway addresses must be specified in the connection.

B.4    ipsecd Daemon Messages

The following messages indicate that the ipsecd daemon is temporarily overloaded or not responding to some information from the IPsec kernel module. These conditions do not necessarily indicate a problem, but if these messages persist at a high rate they may indicate the ipsecd daemon is hung and should be restarted.

ssh_send_to_ipm: queue full, priority message dropped, len=n type=n queue_size=n

ssh_send_to_ipm: dropping entry to make space for important packet

ssh_send_to_ipm: WARNING: queue full, important packet dropped len = 0xn, type = n