Securing the Network in Oracle® Solaris 11.2

Exit Print View

 
Updated: August 2014
 
 

How to Verify That Packets Are Protected With IPsec

    To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:

  • AH: Prefix indicates that AH is protecting the headers. You see this prefix if you used auth_alg to protect the traffic.

  • ESP: Prefix indicates that encrypted data is being sent. You see this prefix if you used encr_auth_alg or encr_alg to protect the traffic.

Before You Begin

You must have access to both systems to test the connection.

You must assume the root role to create the snoop output. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. On one system, such as partym, assume the root role. 
    % su -
Password: xxxxxxxx
#
  2. (Optional) Display the details of the SAs. 
    # ipseckey dump

    This output indicates which SPI values match the SAs that are used, which algorithms were used, the keys, and so on.

  3. On this system, prepare to snoop packets from a remote system.

    In a terminal window on partym, snoop the packets from the enigma system.

    # snoop -d net0 -o /tmp/snoop_capture enigma
Using device /dev/e1000g (promiscuous mode)
  4. Send a packet from the remote system.

    In another terminal window, remotely log in to the enigma system. Provide your password. Then, assume the root role and send a packet from the enigma system to the partym system. The packet should be captured by the snoop -v enigma command.

    partym% ssh enigma
Password: xxxxxxxx
enigma% su -
Password: xxxxxxxx
enigma# ping partym
  5. Examine the snoop output. 
    partym# snoop -i /tmp.snoop_capture -v

    You can also load the snoop output into the Wireshark application. For more information, see How to Prepare IPsec and IKE Systems for Troubleshooting and snoop Command and IPsec.

    In the file, you should see output that includes AH and ESP information after the initial IP header information. AH and ESP information that resembles the following shows that packets are being protected:

    IP:   Time to live = 64 seconds/hops
IP:   Protocol = 51 (AH)
IP:   Header checksum = 4e0e
IP:   Source address = 192.168.116.16, enigma
IP:   Destination address = 192.168.13.213, partym
IP:   No options
IP:
AH:  ----- Authentication Header -----
AH:
AH:  Next header = 50 (ESP)
AH:  AH length = 4 (24 bytes)
AH:  <Reserved field = 0x0>
AH:  SPI = 0xb3a8d714
AH:  Replay = 52
AH:  ICV = c653901433ef5a7d77c76eaa
AH:
ESP:  ----- Encapsulating Security Payload -----
ESP:
ESP:  SPI = 0xd4f40a61
ESP:  Replay = 52
ESP:     ....ENCRYPTED DATA....

ETHER:  ----- Ether Header -----
...
Copyright © 1999, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next