Jerry, Can’t
help you with the specifics of Solaris and Win2K as I haven’t had to use them,
as yet. When
I hear someone talk about “managing” the keys, I think of dynamic tunnels using
ISAKMP. I could be wrong but I don’t
think there is anything you have to “manage” with manual tunnels. You are statically going to pick key
values that aren’t going to change.
For simplicity in testing, you can use the same key for in-bound and
out-bound manual keys. You just
need to split them according to the requirements of the authentication and encryption
needs. To further simplify, until
you get the first tunnel running, why not try just AH or just ESP
encryption? The key lengths will
be smaller and you won’t have to worry about keying multiple protocols. If
you don’t have the list handy, here are the key lengths required by the
algorithms: -
Authentication: MD5
– 16 bytes SHA-1 – 20 bytes -
Encryption: DES
– 8 bytes Triple-DES
– 24 bytes If you need to use different keys, remember that the OUT-bound key and
SPI on one side is the IN-bound key and SPI on the other side. Maybe someone else can chime in with specifics on the two
implementations? Good luck! David =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Fox
Quarry Technologies
dfox@quarrytech.com 8 New England Executive Park
Direct: 781-359-5094 Burlington, Massachusetts 01803 Main: 781-505-8300
x5094 www.quarrytech.com
FAX: 781-505-8316 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----Original
Message----- Thanks.
I tried to figure out how solaris and win2k managed the keys so that I could
make them compatible at the configuration level (not the user interface level)
by supplying carefully picked keys. So far I haven't gotten any luck. Jerry -----
Original Message -----
Sent:
Friday, February 01, 2002 11:11 AM Subject: RE: interoperability of IPSec between solaris 8 and win2k Jerry, That
isn’t all that unusual. While they
may not be able to do dynamic negotiation of keys, you should still be able to
verify interoperability with manual tunnels. What you would be verifying in this case is that the IPsec
encryption, AH and/or ESP, was working. The
“restriction” in Solaris 8 for having the key comprised of the authentication
and encryption keys is not unique.
I previously tested the SSR family of routers at Cabletron, which had
IPsec support. That was exactly
how we specified the keys. The
software then split up the provided key in the correct proportions to satisfy
the authentication and encryption key needs. In that case, depending on the hashing and encryption
algorithms that you choose, you will need to provide a long enough key for
both. In the Win2K environment,
you’ll need to figure out where the split in the key is so that you can specify
them separately, if that is how Win2K requires them to be specified. With
two different implementations, the trick is to specify the parameters to both
implementations, in their native management environment, such that they will be
able to communicate. You should be
able to make it happen after a little trial and error, I suspect. I
am not aware if they have been submitted for a mark from VPNC or ICSA. If they were, and received their
respective mark for whatever subset they were submitted to be tested against,
then they will have been tested for interoperability with the lab’s “reference
set” of routers. If they passed,
then you’ve got your interoperability answer. ICSA is at www.icsalabs.com
and VPNC is at www.vpnc.org. Good luck! David
Fox =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Fox
Quarry
Technologies
dfox@quarrytech.com 8 New England
Executive Park Direct:
781-359-5094 Burlington,
Massachusetts 01803
Main: 781-505-8300 x5094 www.quarrytech.com
FAX: 781-505-8316 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----Original Message----- Hi all, I am testing the interoperability of IPSec between the native
support from solaris 8 and win2k. It seems not possible due to the fact that
solaris 8's ipsec implementation is not full-fledged, and it only allows for
manual keyed sa. Also the length of the keys is dependent on the authentication
and encryption algorithm on solaris 8 while win2k doesn't seem to have
this constraint. Win2k configuration tool only allows for authentication
key to be manually configured, not encryption key. So I can't see how these two would work together. Does anyone have
a similar experiment and draw the same or opposite conclusions? Thanks. |