If anyone has been able to get IPsec protected NFS working between a NetApp filer and a Unix machine, I'd love to hear about it.
I can get it to work using a Solaris 8 box as both the server and the client, but when I try to use a NetApp (6.4.4R1) as the server, no luck.
I opened a case (697672), but was told that the only clients supported are windows 2K and later. This doc reinforces that:
http://now.netapp.com/NOW/knowledge/docs/ontap/rel65/html/ontap/nag/ipsec2.h...
Towards the end of the page, under the section:
About the Network Appliance IPsec implementation
...
Only clients running Windows 2000 or greater are supported for IPsec connections.
An RFE is filed:
http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=130292
though the page is pretty useless, as it only says "Bug information not available". I enabled "watching" for that RFE, but haven't heard anything back since April, 2004.
I've also tried using kerberos to secure the NFS exported data, but the way we share the data between heterogeneous platforms, it means that unless we can get all of our supported clients to use kerberized NFS, then it doesn't help to do any subset. At this point, MacOS X is holding us back. I'm praying that Tiger (10.4?) release will address the issue, but I'm not holding my breath. Even if they do, another hurdle is CAP. We re-export NFS mounted data via CAP to MacOS 9 boxes. Getting CAP to track kerberos credentials is not something we're willing to invest time in.
Has anyone else come up with some alternate means by which to secure NFS exported data, where the server is a NetApp filer? (For years I've been losing the battle to get the physical network secure, using locking wall jacks in our public access labs.) I've been using NetApp file servers since 1995, and have been generally happy, but this security problem is making me seriously reconsider.