The three encryption dialog boxes (SKIP, SKIP Version 1, and ESP/AH) use common set-up parameters, as you can see in Figure 3-3 through Figure 3-10. Explanations of the parameters follow the figures. The procedure follows the explanations.
Hostname/Network/Nomadic. Enter the name of the host or nomadic system, or the IP address of the host or network.
Netmask. (network only) Enter the netmask of the network. The default (255.255.255.0) is already entered.
Secure button. (SKIP and ESP/AH only) Set to either Whole packet ("tunnel mode") or Data only ("transport mode"). Whole packet is recommended because it offers a greater degree of security.
Node ID. (SKIP Version 1 only) This is the IPv4 key ID.
Tunnel Address. Use the tunnel address as the destination IP address. Tunnel address is generally used for clients of encrypted gateways where the IP address of the host entered here serves as the intermediary for any or all hosts on a network whose topography must remain unknown or hidden from the rest of the world. This is called topology hiding. This field is not available if you select Data only.
Local/Remote SPI. (ESP/AH only) You need to provide some sort of identifier for the local and remote systems when using manual keying. These are converted to hexadecimal numbers by SKIP. The Local security parameters index (SPI) is your machine, and the Remote SPI is the destination machine. Alternatively, you can enter the Local/Remote SPI values directly in hexadecimal by typing an eight-digit hexadecimal quantity with the prefix "0x."
Remote Key ID button. (SKIP only) Select whether you want the remote system's key ID included in SKIP packets and, if so, the namespace that key ID occupies. Selecting Not Present means that the receiver key ID will not be sent.
The following namespaces are listed in this menu:
Not Present
IPv4 Address
MD5 (DH Public Value)
Not Present is the default. It uses the IP address of the remote system to identify its certificate. If a remote system has a key ID other than that identified by its IP address, set the namespace and indicate the remote system's key ID in the ID field.
Remote Key ID field. (SKIP only) The namespace indicated in the Remote Key ID field is determined by the type of certificate (Table 3-2) that you are using or have obtained for this system:
Table 3-2 Remote Key ID Field
Certificate Type |
Remote Key ID Field |
CA (Sun or other) |
IPv4 |
Self-generated unsigned key |
MD5 (DH Public Value) |
If the Remote Key ID field has been set to other than Not Present, enter the key ID in hexadecimal format in the ID field (such as 0x0a000000). It must contain the appropriate key ID for the system being authorized based upon the selection made with the Remote Key ID button. Depending on the type of certificate, this information may be obtained from the master key ID on the diskette or from the local key ID field of the other host.
Local Key ID and ID buttons. Use the Local Key ID button to indicate whether you want your local system to send its key ID in the SKIP packet and, if so, the namespace that key occupies. If you select Not Present, the sender's key ID is not sent in the packet and the remote system uses the local system's IP address to decide what key to use.
If you have installed new local keys after you have started skiptool, skiptool will not list them. You must restart the key manager with the skipd_restart command to list them and rerun skiptool.
All the local-key times installed for this host are listed. Select the namespace for the local key that is to be used for communication with the above host. Once you have selected the namespace, click on the ID field to select the key to be used, in hexadecimal, for communication with this host.
Key Encryption button. Selecting this button lists the available key encryption algorithms. The algorithms available are determined by the system type and the selected encryption method selected.
Traffic Encryption button. Select the algorithm for encrypting the traffic between your system and the remote system. The algorithms available are determined by the system type, the version of SunScreen SKIP, and the method of encryption selected.
Authentication button. Use the authentication button to select the type of authentication for the packets. Currently, SunScreen SKIP supports only one type of authentication--MD5. You can also select None for no authentication.
Compression button. Compression is not available at this time.