On S10, I'd normally expect you to be able to load up to 128 bit keys
and then failure at 192 and above if you don't have the encryption kit
upgrade installed.
Try running this command and see what you get:
# echo "8 * `cryptoadm list -mv | \
awk '/CKM_AES_CBC / {print $3}'`" | bc
One a stock S10 system without the SUNWcryr package installed, I get:
128
This restriction was removed in OpenSolaris AFAIK. (And an S10 update
that is later.) It should say 256.
Here's some test keys I tried on OpenSolaris:
ipseckey> add esp spi 0x6789 src 1.1.1.1 dst 2.2.2.2 encralg aes
encrkey 0123456789afcdeffedcba98765432100123456789afcdef
ipseckey> add esp spi 0x6789 src 1.1.1.1 dst 2.2.2.3 encralg aes encrkey
0123456789afcdeffedcba98765432100123456789afcdef8bd4a52e10127deb
Which lists this with dump:
EKY: 0123456789afcdeffedcba98765432100123456789afcdef/192
EKY: 0123456789afcdeffedcba98765432100123456789afcdef8bd4a52e10127deb/256
On S10 without SUNWcryr, I get:
ipseckey> add esp spi 0x6789 src 1.1.1.1 dst 2.2.2.2 encralg aes encrkey
0123456789afcdeffedcba98765432100123456789afcdef
ipseckey: One of the entered values is incorrect.
Diagnostic code 0: No diagnostic.
ipseckey: return message (in doaddresses): Invalid argument
If you run pkginfo | grep SUNWcryr and don't see that package and the
cryptoadm command says 128, go to download.sun.com and find the "Solaris
10 Encryption Kit".
Note: This is obsolete in Solaris 10 08/07 and unnecessary. I'm not
sure what you mean by Solaris "10/4" and how that equates, but
/etc/issue should tell you definitively. The cryptoadm command above is
what you really want to use to verify.
Thanks,
Paul
_______________________________________________
networking-discuss mailing list
[email protected]
