[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic IKE authentication question

To: Ramon Hontanon <hontanon@uu.net>
Subject: Re: Basic IKE authentication question
From: Daniel Harkins <dharkins@cisco.com>
Date: Wed, 30 Dec 1998 12:41:36 -0800
cc: ipsec@tis.com
In-reply-to: Your message of "Wed, 30 Dec 1998 15:08:28 EST." <Pine.SO4.4.02.9812301500110.22649-100000@leonid.corp.us.uu.net>
Sender: owner-ipsec@ex.tis.com

  You don't necessarily need a certificate to do any of the public key 
authentication methods in IKE, you just need the peer's public key. They
just have to be exchanged in some out-of-band mechanism (like manual 
exchange the way cisco's freeware code does it) if you're not using certs. 
IKE provides a mechanism to distribute exchange certs but not untrusted 
public keys.

  Dan.

On Wed, 30 Dec 1998 15:08:28 EST you wrote
> I've read RFC2408 and RFC2409 searching for the answer to this
> (albeit basic) question, but haven't come up with an authoritative answer.
> 
> What are the available options for peer authentication before an IPsec
> tunnel can be established? I suspect that they are:
> 
> - Pre-shared keys (i.e. some string that both peers agree upon in advance)
> - X.509 certs from a Certificate Authority
> 
> But how about:
> 
> - Unverified public key exchange (like ssh)
> - Manual distribution of public keys (Cisco's IKE implementation)
> 
> Thanks a lot, & happy new year to all!
> 
> -- ramon
>

References:

Basic IKE authentication question

From: Ramon Hontanon <hontanon@uu.net>

Prev by Date: Basic IKE authentication question
Next by Date: Re: Basic IKE authentication question
Prev by thread: Basic IKE authentication question
Next by thread: Re: Basic IKE authentication question
Index(es):
- Main
- Thread