The Solaris software includes a sample IPsec policy file that you can use as a template to create your own ipsecinit.conf file. This sample file is named ipsecinit.sample and it contains the following entries:
# #ident "@(#)ipsecinit.sample 1.6 01/10/18 SMI" # # Copyright (c) 1999,2001 by Sun Microsystems, Inc. # All rights reserved. # # This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec # systemwide policy (and as a side-effect, load IPsec kernel modules). # Even if this file has no entries, IPsec will be loaded if # /etc/inet/ipsecinit.conf exists. # # Add entries to protect the traffic using IPsec. The entries in this # file are currently configured using ipsecconf from inetinit script # after /usr is mounted. # # For example, # # {rport 23} ipsec {encr_algs des encr_auth_algs md5} # # Or, in the older (but still usable) syntax # # {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared} # {sport 23} permit {encr_algs des encr_auth_algs md5} # # will protect the telnet traffic originating from the host with ESP using # DES and MD5. Also: # # {raddr 10.5.5.0/24} ipsec {auth_algs any} # # Or, in the older (but still usable) syntax # # {daddr 10.5.5.0/24} apply {auth_algs any sa shared} # {saddr 10.5.5.0/24} permit {auth_algs any} # # will protect traffic to or from the 10.5.5.0 subnet with AH # using any available algorithm. # # # To do basic filtering, a drop rule may be used. For example: # # {lport 23 dir in} drop {} # {lport 23 dir out} drop {} # # will disallow any remote system from telnetting in. # # # WARNING: This file is read before default routes are established, and # before any naming services have been started. The # ipsecconf(1M) command attempts to resolve names, but it will # fail unless the machine uses files, or DNS and the DNS server # is reachable via routing information before ipsecconf(1M) # invocation. (that is, the DNS server is on-subnet, or DHCP # has loaded up the default router already.) # # It is suggested that for this file, use hostnames only if # they are in /etc/hosts, or use numeric IP addresses. # # If DNS gets used, the DNS server is implicitly trusted, which # could lead to compromise of this machine if the DNS server # has been compromised. # |