Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

How to Verify That Packets Are Protected With IPsec

    To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:

  • AH: Prefix indicates that AH is protecting the headers. You see this prefix if you used auth_alg to protect the traffic.

  • ESP: Prefix indicates that encrypted data is being sent. You see this prefix if you used encr_auth_alg or encr_alg to protect the traffic.

Before You Begin

You must have access to both systems to test the connection.

You must assume the root role to create the snoop output. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. On one system, such as host2, assume the root role.
    % su -
    Password: xxxxxxxx
  2. (Optional) Display the details of the SAs.
    # ipseckey dump

    This output indicates which SPI values match the SAs that are used, which algorithms were used, the keys, and so on.

  3. On this system, prepare to snoop packets from a remote system.

    In a terminal window on host2, snoop the packets from the host1 system.

    # snoop -d net0 -o /tmp/snoop_capture host1
    Using device /dev/xxx (promiscuous mode)
  4. Send a packet from the remote system.

    In another terminal window, remotely log in to the host1 system. Provide your password. Then, assume the root role and send a packet from the host1 system to the host2 system. The packet should be captured by the snoop -v host1 command.

    host2% ssh host1
    Password: xxxxxxxx
    host1% su -
    Password: xxxxxxxx
    host1# ping host2
  5. Examine the snoop output.
    host2# snoop -i /tmp.snoop_capture -v

    You can also load the snoop output into the Wireshark application. For more information, see How to Prepare IPsec and IKE Systems for Troubleshooting and snoop Command and IPsec.

    In the file, you should see output that includes AH and ESP information after the initial IP header information. AH and ESP information that resembles the following shows that packets are being protected:

    IP:   Time to live = 64 seconds/hops
    IP:   Protocol = 51 (AH)
    IP:   Header checksum = 4e0e
    IP:   Source address =, host1
    IP:   Destination address = host2
    IP:   No options
    AH:  ----- Authentication Header -----
    AH:  Next header = 50 (ESP)
    AH:  AH length = 4 (24 bytes)
    AH:  <Reserved field = 0x0>
    AH:  SPI = 0xb3a8d714
    AH:  Replay = 52
    AH:  ICV = c653901433ef5a7d77c76eaa
    ESP:  ----- Encapsulating Security Payload -----
    ESP:  SPI = 0xd4f40a61
    ESP:  Replay = 52
    ESP:     ....ENCRYPTED DATA....
    ETHER:  ----- Ether Header -----