Jerry,
That isn’t all that unusual.
While they may not be able to do dynamic negotiation of keys, you
should still be able to verify interoperability with manual tunnels. What you would be verifying in this
case is that the IPsec encryption, AH and/or ESP, was
working.
The “restriction” in Solaris 8 for having the key comprised of the
authentication and encryption keys is not unique. I previously tested the SSR family of
routers at Cabletron, which had IPsec support. That was exactly how we specified the
keys. The software then split up
the provided key in the correct proportions to satisfy the authentication and
encryption key needs. In that
case, depending on the hashing and encryption algorithms that you choose, you
will need to provide a long enough key for both. In the Win2K environment, you’ll need
to figure out where the split in the key is so that you can specify them
separately, if that is how Win2K requires them to be
specified.
With two different implementations, the trick is to specify the
parameters to both implementations, in their native management environment,
such that they will be able to communicate. You should be able to make it happen
after a little trial and error, I suspect.
I am not aware if they have been submitted for a mark from VPNC or
ICSA. If they were, and received
their respective mark for whatever subset they were submitted to be tested
against, then they will have been tested for interoperability with the lab’s
“reference set” of routers. If
they passed, then you’ve got your interoperability answer. ICSA is at www.icsalabs.com and VPNC is at www.vpnc.org.
Good
luck!
David Fox
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
David Fox
Quarry Technologies
dfox@quarrytech.com
8 New England Executive Park
Direct: 781-359-5094
Burlington, Massachusetts 01803
Main: 781-505-8300 x5094
www.quarrytech.com
FAX:
781-505-8316
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-----Original
Message-----
From:
jerry.wang@tumbleweed.com [mailto:jerry.wang@tumbleweed.com]
Sent: Wednesday, January 30, 2002 4:55
PM
To:
ipsec@lists.tislabs.com
Subject: interoperability of IPSec
between solaris 8 and win2k
Hi
all,
I am
testing the interoperability of IPSec between the native support from solaris
8 and win2k. It seems not possible due to the fact that solaris 8's ipsec
implementation is not full-fledged, and it only allows for manual keyed sa.
Also the length of the keys is dependent on the authentication and encryption
algorithm on solaris 8 while win2k doesn't seem to have this constraint.
Win2k configuration tool only allows for authentication key to be
manually configured, not encryption key.
So I
can't see how these two would work together. Does anyone have a similar
experiment and draw the same or opposite conclusions?
Thanks.