Sorry Steve, I haven't yet done this for our Solaris 10 boxes, though I'd really like to. I recall making it work between Solaris 8 boxes, and I recall the need for IKE when interacting with the filers.
I'd also like to see any hints or gotchas if someone else has already done this. If I get around to it first, I'll post my notes here.
Re:
To: Brian Parent bparent@calvin.ucsd.edu Cc: Mike Eisler email2mre-toasters@yahoo.com, toasters@mathworks.com Subject: Re: NFSv4 [was: Re: Mixed Mode] Date: Tue, 21 Mar 2006 15:16:23 -0500 From: Steve Losen scl@sasha.acc.virginia.edu
Re:
Date: Fri, 17 Mar 2006 17:43:34 -0800 (PST) From: Mike Eisler email2mre-toasters@yahoo.com Subject: Re: NFSv4 [was: Re: Mixed Mode] To: Brian Parent bparent@calvin.ucsd.edu, toasters@mathworks.com
--- Brian Parent bparent@calvin.ucsd.edu wrote:
Currently, we're using IPsec with non-kerberized NFS to deal with the vulnerabilities inherent in trusting IP address for authorization in an environment where network jacks in public places exist (e.g. most Universities).
How is the performance of this? Are you using AH or ESP?
We're only using AH, thinking the performance hit wouldn't be as large, plus our main focus was to authenticate the endpoints as opposed to privacy of the data. We sufferred quite a bit, and purchased a IPsec hardware accelerator for the R100 which helped. However, there was a compound problem that cleared up at about the same time as the installation of the accelerator, so it's hard to accurately attribute which problem to what amount of extra load. I tend to think that the IPsec accelerator would not have been necessary had the other problem not surfaced.
We have a FAS3050c running 7.0.1R1 and some Solaris 8 NFS clients on a physically insecure network. We would LOVE to set up IPSEC using AH between them, but I have not had any luck so far. We have a Solaris 10 system that I can play with, since Solaris 8 does not seem to have IKE (required by ONTAP). If I can get the Solaris 10 system working, then we will gladly upgrade the Solaris 8 systems.
Do you have any hints or notes or anything that you can give me explaining how you got IPSEC to work? If your NFS clients aren't Solaris, then I'm probably out of luck.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support