IPsec Extensions to Other Utilities

The ifconfig command has options to manage the IPsec policy on a tunnel interface. The snoop command can parse AH and ESP headers.

ifconfig Command and IPsec

In the Solaris 10, Solaris 10 7/05, Solaris 10 1/06, and Solaris 10 11/06 releases: To support IPsec, the following security options are available from the ifconfig command. These security options are handled by the ipsecconf command in the Solaris 10 7/07 release.

• auth_algs

• encr_auth_algs

• encr_algs

You must specify all IPsec security options for a tunnel in one invocation. For example, if you are using only ESP to protect traffic, you would configure the tunnel, ip.tun0, once with both security options, as in:

# ifconfig ip.tun0 encr_algs aes encr_auth_algs md5

Similarly, an ipsecinit.conf entry would configure the tunnel once with both security options, as in:

# WAN traffic uses ESP with AES and MD5.
   {} ipsec {encr_algs aes encr_auth_algs md5}

auth_algs Security Option

This option enables IPsec AH for a tunnel with a specified authentication algorithm. The auth_algs option has the following format:

auth_algs authentication-algorithm

For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. To disable tunnel security, specify the following option:

auth_algs none

For a list of available authentication algorithms, run the ipsecalgs command.

The auth_algs option cannot work with NAT-Traversal. For more information, see IPsec and NAT Traversal.

encr_auth_algs Security Option

This option enables IPsec ESP for a tunnel with a specified authentication algorithm. The encr_auth_algs option has the following format:

encr_auth_algs authentication-algorithm

For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. If you specify an ESP encryption algorithm, but you do not specify the authentication algorithm, the ESP authentication algorithm value defaults to the parameter any.

For a list of available authentication algorithms, run the ipsecalgs command.

encr_algs Security Option

This option enables IPsec ESP for a tunnel with a specified encryption algorithm. The encr_algs option has the following format:

encr_algs encryption-algorithm

For the algorithm, you can specify either a number or an algorithm name. To disable tunnel security, specify the following option:

encr_algs none

If you specify an ESP authentication algorithm, but not an encryption algorithm, ESP's encryption value defaults to the parameter null.

For a list of available encryption algorithms, run the ipsecalgs command.

snoop Command and IPsec

The snoop command can parse AH and ESP headers. Because ESP encrypts its data, the snoop command cannot see encrypted headers that are protected by ESP. AH does not encrypt data. Therefore, traffic that is protected by AH can be inspected with the snoop command. The -V option to the command shows when AH is in use on a packet. For more details, see the snoop(1M) man page.

For a sample of verbose snoop output on a protected packet, see How to Verify That Packets Are Protected With IPsec.