IPsec Extensions to Other Utilities (IPsec and IKE Administration Guide)

IPsec and IKE Administration Guide

IPsec Extensions to Other Utilities

The ifconfig command has options to manage the IPsec policy on a tunnel interface. The snoop command can parse AH and ESP headers.

`ifconfig` Command

To support IPsec, the following security options have been added to the ifconfig command:

auth_algs
encr_auth_algs
encr_algs

You must specify all IPsec security options for a tunnel in one invocation. For example, if you are using only ESP to protect traffic, you would configure the tunnel, ip.tun0, once with both security options, as in:

# ifconfig ip.tun0 … encr_algs 3DES encr_auth_algs MD5

Similarly, an ipsecinit.conf entry would configure the tunnel once with both security options, as in:

# WAN traffic uses ESP with 3DES and MD5.
   {} ipsec {encr_algs 3des encr_auth_algs md5}

`auth_algs` Security Option

This option enables IPsec AH for a tunnel with a specified authentication algorithm. The auth_algs option has the following format:

auth_algs authentication-algorithm

For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. To disable tunnel security, specify the following option:

auth_algs none

See Table 1–1 for a list of available authentication algorithms and for pointers to the algorithm man pages.

`encr_auth_algs` Security Option

This option enables IPsec ESP for a tunnel with a specified authentication algorithm. The encr_auth_algs option has the following format:

encr_auth_algs authentication-algorithm

For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. If you specify an ESP encryption algorithm, but you do not specify the authentication algorithm, the ESP authentication algorithm value defaults to the parameter any.

See Table 1–1 for a list of available authentication algorithms and for pointers to the algorithm man pages.

`encr_algs` Security Option

This option enables IPsec ESP for a tunnel with a specified encryption algorithm. The encr_algs option has the following format:

encr_algs encryption-algorithm

For the algorithm, you can specify either a number or an algorithm name. To disable tunnel security, specify the following option:

encr_algs none

If you specify an ESP authentication algorithm, but not an encryption algorithm, ESP's encryption value defaults to the parameter null.

For a list of available encryption algorithms and for pointers to the algorithm man pages, see the ipsecesp(7P) man page or Table 1–2.

`snoop` Command

The snoop command can now parse AH and ESP headers. Because ESP encrypts its data, the snoop command cannot see encrypted headers that are protected by ESP. AH does not encrypt data, so traffic can still be inspected with this command. The snoop -V option shows when AH is in use on a packet. See the snoop(1M) man page for more details.

For a sample of verbose snoop output on a protected packet, see How to Verify That Packets Are Protected.