> > OK, how can I check whether I'm using ESP with
> auth?
>
> If you're already protecting traffic with ESP, utter
> (with privilege):
>
> ipseckey dump esp | egrep "AKY:|Authentication"
This returns no output.
> If you see output, then you're using ESP
> authentication.
Oops. I guess I have to fix my config file. Or is this because I'm on Solaris
10?
> Yep. When he presents the paper at the conference,
> he'll show you how
> OpenSolaris is "vulnerable" because we follow the
> spec if we do proper,
> by-the-spec padding checks.
So what can I do to protect my traffic against it?
> Aha! If you're running a recent build of
> OpenSolaris, you can utter:
>
> ipsecconf -ln -i ip.tun0
Nope, this is IPsec between Solaris 10 1/06 i86pc and Solaris 9 12/03 sparc (:-)
> to see the policy for ip.tun0. Or you can do:
>
> ifconfig ip.tun0
This is on my proof of concept config with no NAT, looks like I'm using AH +
ESP:
ip.tun0: flags=11008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,ROUTER,IPv4> mtu
1395 index 3
inet tunnel src ###.###.###.### tunnel dst ###.###.###.###
tunnel security settings ah (hmac-sha1) esp (3des-cbc/<any-none>)
tunnel hop limit 60
inet ###.###.###.### --> ###.###.###.### netmask ffff0000
> Nope. The one thing, though, is that it looks like
> your fixed IP address has
> one of THEIR NATs in front of it. This could be
> problematic for IKE because
> in theory the ISP NAT won't know to which box IKE
> packets should be directed.
That is correct. The ADSL "modem" has two interfaces, FW <---> int. if <--->
ext. if (NAT) <---> InterNet. Let's hope it will work though.
This message posted from opensolaris.org
