[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: interoperability of IPSec between solaris 8 and win2k

Jerry,

            That isn’t all that unusual.  While they may not be able to do dynamic negotiation of keys, you should still be able to verify interoperability with manual tunnels.  What you would be verifying in this case is that the IPsec encryption, AH and/or ESP, was working.

 

            The “restriction” in Solaris 8 for having the key comprised of the authentication and encryption keys is not unique.  I previously tested the SSR family of routers at Cabletron, which had IPsec support.  That was exactly how we specified the keys.  The software then split up the provided key in the correct proportions to satisfy the authentication and encryption key needs.  In that case, depending on the hashing and encryption algorithms that you choose, you will need to provide a long enough key for both.  In the Win2K environment, you’ll need to figure out where the split in the key is so that you can specify them separately, if that is how Win2K requires them to be specified.

 

            With two different implementations, the trick is to specify the parameters to both implementations, in their native management environment, such that they will be able to communicate.  You should be able to make it happen after a little trial and error, I suspect.

 

            I am not aware if they have been submitted for a mark from VPNC or ICSA.  If they were, and received their respective mark for whatever subset they were submitted to be tested against, then they will have been tested for interoperability with the lab’s “reference set” of routers.  If they passed, then you’ve got your interoperability answer.  ICSA is at www.icsalabs.com and VPNC is at www.vpnc.org.  

 

Good luck!

 

            David Fox

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

David Fox                                                

Quarry Technologies                                dfox@quarrytech.com

8 New England Executive Park               Direct: 781-359-5094

Burlington, Massachusetts  01803         Main: 781-505-8300 x5094

www.quarrytech.com                                 FAX:   781-505-8316

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

-----Original Message-----
From: jerry.wang@tumbleweed.com [mailto:jerry.wang@tumbleweed.com]
Sent: Wednesday, January 30, 2002 4:55 PM
To: ipsec@lists.tislabs.com
Subject: interoperability of IPSec between solaris 8 and win2k

 

Hi all,

 

I am testing the interoperability of IPSec between the native support from solaris 8 and win2k. It seems not possible due to the fact that solaris 8's ipsec implementation is not full-fledged, and it only allows for manual keyed sa. Also the length of the keys is dependent on the authentication and encryption algorithm on solaris 8 while win2k doesn't seem to have this constraint. Win2k configuration tool only allows for authentication key to be manually configured, not encryption key.

 

So I can't see how these two would work together. Does anyone have a similar experiment and draw the same or opposite conclusions? Thanks.