Part I Introducing System Administration: IP Services
1. Oracle Solaris TCP/IP Protocol Suite (Overview)
2. Planning Your TCP/IP Network (Tasks)
3. Introducing IPv6 (Overview)
4. Planning an IPv6 Network (Tasks)
5. Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)
6. Administering Network Interfaces (Tasks)
7. Configuring an IPv6 Network (Tasks)
8. Administering a TCP/IP Network (Tasks)
9. Troubleshooting Network Problems (Tasks)
10. TCP/IP and IPv4 in Depth (Reference)
13. Planning for DHCP Service (Tasks)
14. Configuring the DHCP Service (Tasks)
15. Administering DHCP (Tasks)
16. Configuring and Administering the DHCP Client
17. Troubleshooting DHCP (Reference)
18. DHCP Commands and Files (Reference)
19. IP Security Architecture (Overview)
21. IP Security Architecture (Reference)
IPsec Service Management Facility
Security Considerations for ipsecinit.conf and ipsecconf
Security Associations Database for IPsec
Utilities for Key Generation in IPsec
Security Considerations for ipseckey
22. Internet Key Exchange (Overview)
24. Internet Key Exchange (Reference)
25. IP Filter in Oracle Solaris (Overview)
28. Administering Mobile IP (Tasks)
29. Mobile IP Files and Commands (Reference)
30. Introducing IPMP (Overview)
31. Administering IPMP (Tasks)
Part VII IP Quality of Service (IPQoS)
32. Introducing IPQoS (Overview)
33. Planning for an IPQoS-Enabled Network (Tasks)
34. Creating the IPQoS Configuration File (Tasks)
35. Starting and Maintaining IPQoS (Tasks)
36. Using Flow Accounting and Statistics Gathering (Tasks)
The ifconfig command has options to manage the IPsec policy on a tunnel interface. The snoop command can parse AH and ESP headers.
In the Solaris 10, Solaris 10 7/05, Solaris 10 1/06, and Solaris 10 11/06 releases: To support IPsec, the following security options are available from the ifconfig command. These security options are handled by the ipsecconf command in the Solaris 10 7/07 release.
You must specify all IPsec security options for a tunnel in one invocation. For example, if you are using only ESP to protect traffic, you would configure the tunnel, ip.tun0, once with both security options, as in:
# ifconfig ip.tun0 encr_algs aes encr_auth_algs md5
Similarly, an ipsecinit.conf entry would configure the tunnel once with both security options, as in:
# WAN traffic uses ESP with AES and MD5. {} ipsec {encr_algs aes encr_auth_algs md5}
This option enables IPsec AH for a tunnel with a specified authentication algorithm. The auth_algs option has the following format:
auth_algs authentication-algorithm
For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. To disable tunnel security, specify the following option:
auth_algs none
For a list of available authentication algorithms, run the ipsecalgs command.
Note - The auth_algs option cannot work with NAT-Traversal. For more information, see IPsec and NAT Traversal.
This option enables IPsec ESP for a tunnel with a specified authentication algorithm. The encr_auth_algs option has the following format:
encr_auth_algs authentication-algorithm
For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. If you specify an ESP encryption algorithm, but you do not specify the authentication algorithm, the ESP authentication algorithm value defaults to the parameter any.
For a list of available authentication algorithms, run the ipsecalgs command.
This option enables IPsec ESP for a tunnel with a specified encryption algorithm. The encr_algs option has the following format:
encr_algs encryption-algorithm
For the algorithm, you can specify either a number or an algorithm name. To disable tunnel security, specify the following option:
encr_algs none
If you specify an ESP authentication algorithm, but not an encryption algorithm, ESP's encryption value defaults to the parameter null.
For a list of available encryption algorithms, run the ipsecalgs command.
The snoop command can parse AH and ESP headers. Because ESP encrypts its data, the snoop command cannot see encrypted headers that are protected by ESP. AH does not encrypt data. Therefore, traffic that is protected by AH can be inspected with the snoop command. The -V option to the command shows when AH is in use on a packet. For more details, see the snoop(1M) man page.
For a sample of verbose snoop output on a protected packet, see How to Verify That Packets Are Protected With IPsec.