Troubleshooting manual tunnel errors

The following are descriptions of several possible tunnel errors, along with their solutions.

Error Possible problem and solution

Error	Possible problem and solution
Issuing mktun command results in the following error: `insert_tun_man4(): write failed : The requested resource is busy.`	Problem: The tunnel you requested to activate is already active or you have colliding SPI values. To fix: Issue the rmtun command to deactivate, then issue the mktun command to activate. Check to see if the SPI values for the failing tunnel match any other active tunnel. Each tunnel should have its own unique SPI values.
Issuing mktun command results in the following error: `Device ipsec_v4 is in Defined status.` `Tunnel activation for IP Version 4 not performed.`	Problem: You have not made the IP Security device available. To fix: Issue the following command: `mkdev -l ipsec -t 4` You might have to change -t option to 6 if you are getting the same error for IP Version 6 tunnel activation. The devices must be in available state. To check the IP Security device state, issue the following command: `lsdev -Cc ipsec`
Issuing a gentun command results in the following error: `Invalid Source IP address`	Problem: You have not entered a valid IP address for the source address. To fix: For IP Version 4 tunnels, check to see that you have entered an available IP Version 4 address for the local machine. You cannot use host names for the source when generating tunnels, you might only use host names for the destination. For IP Version 6 tunnels, check to see that you entered an available IP Version 6 address. If you type `netstat -in` and no IP Version 6 addresses exist, run /usr/sbin/autoconf6 (interface) for a link local autogenerated address (using MAC address) or use the ifconfig command to manually assign an address.
Issuing a gentun command results in the following error: `Invalid Source IP address`	Problem: You have not entered a valid IP address for the source address. To fix: For IP Version 4 tunnels, check to see that you have entered an available IP Version 4 address for the local machine. You cannot use host names for the source when generating tunnels, you may only use host names for the destination. For IP Version 6 tunnels, check to see that you entered an available IP Version 6 address. If you type `netstat -in` and no IP Version 6 addresses exist, run /usr/sbin/autoconf6 (interface) for a link local auto-generated address (using MAC address) or use ifconfig to manually assign an address.
Issuing mktun command results in the following error: `insert_tun_man4(): write failed : A system call received a parameter that is not valid.`	Problem: Tunnel generation occurred with invalid ESP and AH combination or without the use of the new header format when necessary. To fix: Check to see which authentication algorithms are in use by the particular tunnel in question. Remember that the HMAC_MD5 and HMAC_SHA algorithms require the new header format. The new header format can be changed using the SMIT fast path ips4_basic or the -z parameter with the chtun command. Also, remember that DES_CBC_4 cannot be used with the new header format.
Trying to use IP Security results in the following error: `The installed bos.crypto is back level and must be updated.`	Problem: The bos.net.ipsec.* files have been updated to a newer version, but the corresponding bos.crypto.* files have not. To fix: Update the bos.crypto.* files to the version that corresponds with the updated bos.net.ipsec.* files.

Issuing mktun command results in the following error:

insert_tun_man4(): write failed : The requested resource is busy.

Problem: The tunnel you requested to activate is already active or you have colliding SPI values.

To fix: Issue the rmtun command to deactivate, then issue the mktun command to activate. Check to see if the SPI values for the failing tunnel match any other active tunnel. Each tunnel should have its own unique SPI values.

Issuing mktun command results in the following error:

Device ipsec_v4 is in Defined status.

Tunnel activation for IP Version 4 not performed.

Problem: You have not made the IP Security device available.

To fix: Issue the following command:

mkdev -l ipsec -t 4

You might have to change -t option to 6 if you are getting the same error for IP Version 6 tunnel activation. The devices must be in available state. To check the IP Security device state, issue the following command:

lsdev -Cc ipsec

Issuing a gentun command results in the following error:

Invalid Source IP address

Problem: You have not entered a valid IP address for the source address.

To fix: For IP Version 4 tunnels, check to see that you have entered an available IP Version 4 address for the local machine. You cannot use host names for the source when generating tunnels, you might only use host names for the destination.

For IP Version 6 tunnels, check to see that you entered an available IP Version 6 address. If you type netstat -in and no IP Version 6 addresses exist, run /usr/sbin/autoconf6 (interface) for a link local autogenerated address (using MAC address) or use the ifconfig command to manually assign an address.

Issuing a gentun command results in the following error:

Invalid Source IP address

Problem: You have not entered a valid IP address for the source address.

For IP Version 6 tunnels, check to see that you entered an available IP Version 6 address. If you type netstat -in and no IP Version 6 addresses exist, run /usr/sbin/autoconf6 (interface) for a link local auto-generated address (using MAC address) or use ifconfig to manually assign an address.

Issuing mktun command results in the following error:

insert_tun_man4(): write failed : A system call received a parameter that is not valid.

Problem: Tunnel generation occurred with invalid ESP and AH combination or without the use of the new header format when necessary.

To fix: Check to see which authentication algorithms are in use by the particular tunnel in question. Remember that the HMAC_MD5 and HMAC_SHA algorithms require the new header format. The new header format can be changed using the SMIT fast path ips4_basic or the -z parameter with the chtun command. Also, remember that DES_CBC_4 cannot be used with the new header format.

Trying to use IP Security results in the following error:

The installed bos.crypto is back level and must be updated.

Problem: The bos.net.ipsec.* files have been updated to a newer version, but the corresponding bos.crypto.* files have not.

To fix: Update the bos.crypto.* files to the version that corresponds with the updated bos.net.ipsec.* files.