[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: interoperability of IPSec between solaris 8 and win2k



Jerry,

            Can’t help you with the specifics of Solaris and Win2K as I haven’t had to use them, as yet. 

 

            When I hear someone talk about “managing” the keys, I think of dynamic tunnels using ISAKMP.  I could be wrong but I don’t think there is anything you have to “manage” with manual tunnels.  You are statically going to pick key values that aren’t going to change.  For simplicity in testing, you can use the same key for in-bound and out-bound manual keys.  You just need to split them according to the requirements of the authentication and encryption needs.  To further simplify, until you get the first tunnel running, why not try just AH or just ESP encryption?  The key lengths will be smaller and you won’t have to worry about keying multiple protocols.

 

            If you don’t have the list handy, here are the key lengths required by the algorithms:

 

-          Authentication:        MD5 – 16 bytes

SHA-1 – 20 bytes

 

-          Encryption:              DES – 8 bytes

Triple-DES – 24 bytes

 

If you need to use different keys, remember that the OUT-bound key and SPI on one side is the IN-bound key and SPI on the other side.

 

Maybe someone else can chime in with specifics on the two implementations?

 

Good luck!

            David

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

David Fox                                                

Quarry Technologies                                dfox@quarrytech.com

8 New England Executive Park               Direct: 781-359-5094

Burlington, Massachusetts  01803         Main: 781-505-8300 x5094

www.quarrytech.com                                 FAX:   781-505-8316

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

-----Original Message-----
From: Jerry Wang [mailto:jerry.wang@tumbleweed.com]
Sent: Friday, February 01, 2002 11:35 AM
To: dfox@quarrytech.com
Cc: ipsec@lists.tislabs.com
Subject: Re: interoperability of IPSec between solaris 8 and win2k

 

Thanks. I tried to figure out how solaris and win2k managed the keys so that I could make them compatible at the configuration level (not the user interface level) by supplying carefully picked keys. So far I haven't gotten any luck.

 

Jerry

 

----- Original Message -----

To: jerry.wang@tumbleweed.com

Cc: ipsec@lists.tislabs.com

Sent: Friday, February 01, 2002 11:11 AM

Subject: RE: interoperability of IPSec between solaris 8 and win2k

 

Jerry,

           That isn’t all that unusual.  While they may not be able to do dynamic negotiation of keys, you should still be able to verify interoperability with manual tunnels.  What you would be verifying in this case is that the IPsec encryption, AH and/or ESP, was working.

 

           The “restriction” in Solaris 8 for having the key comprised of the authentication and encryption keys is not unique.  I previously tested the SSR family of routers at Cabletron, which had IPsec support.  That was exactly how we specified the keys.  The software then split up the provided key in the correct proportions to satisfy the authentication and encryption key needs.  In that case, depending on the hashing and encryption algorithms that you choose, you will need to provide a long enough key for both.  In the Win2K environment, you’ll need to figure out where the split in the key is so that you can specify them separately, if that is how Win2K requires them to be specified.

 

           With two different implementations, the trick is to specify the parameters to both implementations, in their native management environment, such that they will be able to communicate.  You should be able to make it happen after a little trial and error, I suspect.

 

           I am not aware if they have been submitted for a mark from VPNC or ICSA.  If they were, and received their respective mark for whatever subset they were submitted to be tested against, then they will have been tested for interoperability with the lab’s “reference set” of routers.  If they passed, then you’ve got your interoperability answer.  ICSA is at www.icsalabs.com and VPNC is at www.vpnc.org. 

 

Good luck!

 

           David Fox

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

David Fox                                               

Quarry Technologies                                dfox@quarrytech.com

8 New England Executive Park               Direct: 781-359-5094

Burlington, Massachusetts  01803         Main: 781-505-8300 x5094

www.quarrytech.com                                 FAX:   781-505-8316

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

-----Original Message-----
From: jerry.wang@tumbleweed.com [mailto:jerry.wang@tumbleweed.com]
Sent: Wednesday, January 30, 2002 4:55 PM
To: ipsec@lists.tislabs.com
Subject: interoperability of IPSec between solaris 8 and win2k

 

Hi all,

 

I am testing the interoperability of IPSec between the native support from solaris 8 and win2k. It seems not possible due to the fact that solaris 8's ipsec implementation is not full-fledged, and it only allows for manual keyed sa. Also the length of the keys is dependent on the authentication and encryption algorithm on solaris 8 while win2k doesn't seem to have this constraint. Win2k configuration tool only allows for authentication key to be manually configured, not encryption key.

 

So I can't see how these two would work together. Does anyone have a similar experiment and draw the same or opposite conclusions? Thanks.