Re: IPSEC on Solaris 8

From: Trevor Fiatal (trevor@seven.com)
Date: 10/02/01


Message-ID: <3BBA17FA.CC8439DE@seven.com>
Date: Tue, 02 Oct 2001 12:39:38 -0700
From: Trevor Fiatal <trevor@seven.com>
To: SUN-sec Mailinglist <focus-sun@securityfocus.com>
Subject: Re: IPSEC on Solaris 8

adam morley wrote:
>
> On Mon, Oct 01, 2001 at 10:37:59AM +0200, Conny Stefors wrote:
> >
> > The man-pages for the IPSEC feature is unfortunatly not very good :-(
>
> they are good once you know what you are doing, the key is figuring out what you are doing first! your best bets are to start with the answerbooks if you have them, or just hop onto docs.sun.com:
[deletia]

I'm surprised no-one has mentioned the biggest stumbling block to
getting IPsec working on Sol8: install the optional/downloadable
crypto packages so the IPsec stuff actually works! (The documentation
is fscking miserable in this regard, took me days to figure out
why IPsec wasn't working.)

You *must* download and install the crypto packages if you want
to do anything useful. You can find them at:

        http://www.sun.com/software/solaris/encryption/download.html

One warning: these packages include a new version of libcrypt
(libcrypt_d.*) that supercedes the export-legal libcrypt_i.* which
comes with Sol8. If you compile *anything* which references
libcrypt on a system with the optional crypto pkgs installed, it
will not work on a standard Sol8 system lacking the enhanced crypto
libs. Found this out the hard way.

In my case, I now have two build hosts used to compile software --
one with libcrypt_d.* installed, and one without. This allows us
to build certain software for 'secure' systems use only, and other
stuff for use on any system.

-Trevor

-- 
Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/
Co-Founder, CSO
SEVEN
510.967.4556 (work/mobile)  
510.401.8054 (vmail/fax)