Jerry, That
isn’t all that unusual. While they
may not be able to do dynamic negotiation of keys, you should still be able to
verify interoperability with manual tunnels. What you would be verifying in this case is that the IPsec
encryption, AH and/or ESP, was working. The
“restriction” in Solaris 8 for having the key comprised of the authentication
and encryption keys is not unique.
I previously tested the SSR family of routers at Cabletron, which had
IPsec support. That was exactly how
we specified the keys. The software
then split up the provided key in the correct proportions to satisfy the
authentication and encryption key needs.
In that case, depending on the hashing and encryption algorithms that
you choose, you will need to provide a long enough key for both. In the Win2K environment, you’ll need
to figure out where the split in the key is so that you can specify them
separately, if that is how Win2K requires them to be specified. With
two different implementations, the trick is to specify the parameters to both
implementations, in their native management environment, such that they will be
able to communicate. You should be
able to make it happen after a little trial and error, I suspect. I
am not aware if they have been submitted for a mark from VPNC or ICSA. If they were, and received their
respective mark for whatever subset they were submitted to be tested against,
then they will have been tested for interoperability with the lab’s “reference
set” of routers. If they passed, then
you’ve got your interoperability answer.
ICSA is at www.icsalabs.com and
VPNC is at www.vpnc.org. Good luck! David
Fox =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Fox
Quarry Technologies
dfox@quarrytech.com 8 New England Executive Park
Direct: 781-359-5094 Burlington, Massachusetts 01803 Main: 781-505-8300
x5094 www.quarrytech.com
FAX: 781-505-8316 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----Original
Message----- Hi all, I am
testing the interoperability of IPSec between the native support from solaris 8
and win2k. It seems not possible due to the fact that solaris 8's ipsec
implementation is not full-fledged, and it only allows for manual keyed sa.
Also the length of the keys is dependent on the authentication and encryption
algorithm on solaris 8 while win2k doesn't seem to have this constraint.
Win2k configuration tool only allows for authentication key to be manually
configured, not encryption key. So I
can't see how these two would work together. Does anyone have a similar
experiment and draw the same or opposite conclusions? Thanks. |