[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Basic IKE authentication question
You don't necessarily need a certificate to do any of the public key
authentication methods in IKE, you just need the peer's public key. They
just have to be exchanged in some out-of-band mechanism (like manual
exchange the way cisco's freeware code does it) if you're not using certs.
IKE provides a mechanism to distribute exchange certs but not untrusted
public keys.
Dan.
On Wed, 30 Dec 1998 15:08:28 EST you wrote
> I've read RFC2408 and RFC2409 searching for the answer to this
> (albeit basic) question, but haven't come up with an authoritative answer.
>
> What are the available options for peer authentication before an IPsec
> tunnel can be established? I suspect that they are:
>
> - Pre-shared keys (i.e. some string that both peers agree upon in advance)
> - X.509 certs from a Certificate Authority
>
> But how about:
>
> - Unverified public key exchange (like ssh)
> - Manual distribution of public keys (Cisco's IKE implementation)
>
> Thanks a lot, & happy new year to all!
>
> -- ramon
>
References: