UNIX admin wrote: >> From a practical perspective, the rule syntax is >> very subtle. >> encr_algs aes encr_auth_algs sha1 >> ill use ESP with AES encryption and SHA1 >> authentication. >> >> encr_algs aes auth_algs sha1 >> ses ESP with AES encryption, AH with SHA1 >> authentication, incompatible >> with NAT. >> >> It's a common nuance that people sometimes miss. > > Thank you for the heads up. The thing that concerns me is to find out whether > the above works in Solaris 10, or is in OpenSolaris only. >
Yes, it applies to policy rules created with ipsecconf in transport mode and on ifconfig type rules, and also with ipsecconf type rules in tunnel mode in OpenSolaris/Nevada post tunnel-reform. The tunnel reform project is included in Solaris 10 07/06 (or whatever the next version of S10 is called), so you can create rules in the manner that Dan described earlier if you upgrade to that. In both OpenSolaris/S10-next, the old ifconfig style tunnel is supported for backwards compatibility. Thanks, Paul
