[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SSH ISAKMP/Oakley interoprability test site announcement
The SSH ISAKMP/Oakley test site is now available for testing.
See:
<URL:http://isakmp-test.ssh.fi/>.
This site was already announced in the Washington IETF IPSec session,
and has been operational since then, but this is official announcement
for its availability for testing.
The SSH ISAKMP/Oakley test site is web based test site for
ISAKMP/Oakley servers and it allows your implementation to perform
negotiations against the test server. It gives you sufficient
debugging output, so you can resolve most problems yourself; we are
happy to work with you on the remaining ones (send mail to
isakmp-support@ssh.fi).
For demonstration purposes, you can also put our implementation
negotiating against itself by giving 194.100.55.1 as the IP address
for the other end and using different port number for each end.
I've now configured the system so that you can also use port 500 for
testing at the SSH end. So if you couldn't test earlier because you
couldn't configure the remote port, now you can also use port 500.
Because only one user can be testing in the same port at same time
(the test servers are each completely separate from each other, but
running on same machine), it would be good to use some other port if
you can, and leave port 500 for those who cannot choose...
The SSH ISAKMP/Oakley test site supports latest drafts (isakmp-08+
(certificate request payload is already changed to newer format coming
in next version of draft), oakley-02, isakmp-oakley-05, doi-06), and
following options in those drafts:
- Several compatibility flags (including "Only IP number in
HASH", "Old Public key encryption PRF key", and "Old
certificate request payload format").
- Authentication with Pre-Shared keys and limited support for
DSA/RSA signatures and RSA encryption authentications.
Authentication via signatures or encryption is slightly
limited because you have to configure your own system so it
trusts our test CA key (certificate for it can be found on
the main page) or just trusts any certificate sent
by the other end (you also need to put the "trust all
certificates" flag on in SSH end so it will trust your
certificates). The certificate sent by the other end must
have the correct IP address in the alt name field. We can
also manually do some CA operations here, so send mail to
isakmp-support@ssh.fi if you want to do even more complicated
certificate testing.
- Both responder and initiator ends.
- Both Main mode and Aggressive mode.
- New group mode between main or aggressive mode and quick
mode.
- Quick mode.
- Encryption algorithms: DES, Blowfish, 3DES, and CAST-128.
- Hash algorithms: MD5, and SHA
- Diffie-Hellman Groups: 1, 2, private group arguments
given in ISAKMP proposal, and private group negotiated in
new group mode (for quick mode).
- With or without PFS in quick mode.
The ISAKMP/Oakley test site is NOT connected to an IPSec engine so it
will just print out the resulting keys after negotiation, so you can
check them (note, that it will print just raw key material, parity
bits etc are fixed in the IPSec engine level, not in this level).
If you have any comments, problems, enchancements etc please send mail
to isakmp-support@ssh.fi.
I will try to add some more help texts to the pages later, but I think
implementators should be able to understand the user interface and
debug output already. I really hope this service will be usefull to
IPSec community.
--
kivinen@ssh.fi Work : +358-9-4354 3207
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec.html