From: Joe Patterson (jpatterson_at_asgardgroup.com)
Date: Thu Oct 31 2002 - 22:01:16 CET
My understanding (which could be incorrect, but it's the best I can do at
the moment...) is that there are three basic methods for doing ipsec
authentication (not counting things like xauth which are in addition to
these basics). Those are: psk, rsa-sig, rsa-encr.
psk is pretty much supported by everything and everyone.
rsa-sig basically means certificates. I'm not sure if there are ways to do
rsa-sig that don't involve certificates, but that's pretty much what I've
seen. All Cisco ipsec-capable devices that I know of (ios, pix, vpn
appliances) support this method. It's supported under freeswan with the
x.509 patches. I don't believe it's supported in any way by stock freeswan.
And then, there's rsa-encr, also known as rsa encrypted nonces. Cisco pix
and vpn appliances don't support this, only the ios. And it looks like
cisco doesn't really like this method (although I find it very nice for a
middle-ground solution. a pki is nice and hierarchical, but takes some time
to set up and maintain. and rsa encrypted nonces have the advantages that
1) you don't have to safeguard the contents of your router configs as
heavily, becaus all they contain is public key information, and 2) if you
have a fully meshed network of N routers, you only have to manage N keys,
instead of managing (N*(N-1))/2 PSK's.)
Anyhow, this auth method is supported both by ios and by freeswan. Under
ios, the commands to define a key can be found at
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuratio
n_guide_chapter09186a00800d6b7e.html#31791 Under freeswan, this generally
corresponds to the "leftrsasigkey=0x..." parameter.
So, both sides support the method, interoperability should be a snap, right?
Wrong. The problem is that there is no standard defined way to express an
rsa key. To both sides it's just a string of bits, but which bits mean what
is important. The way it's encoded in freeswan isn't (as far as I know)
really well documented, but it's in the code, and probably not too difficult
to figure out. The cisco side, on the other hand, is completely
undocumented, and we don't have access to the code. I recall seeing a post
a long time ago from someone who was a developer, working for cisco, working
on ipsec stuff, and even *he* wasn't really sure how it was encoded.
If someone could figure that out, and build a converter from freeswan to
cisco and cisco to freeswan, then interoperability could probably happen.
Until then, it's not likely. But it would be really nice.
additional info I've found:
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/06/msg00033.html
seems to be a discussion of this particular point. Not sure that it went
anywhere...
> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Thierry Boivin
> Sent: Thursday, October 31, 2002 12:45 PM
> To: users_at_lists.freeswan.org
> Cc: linux21cn_at_hotmail.com; sschmidt_at_compass.net.nz
> Subject: [Users] RSA without CA : cisco rsa-sig/rsa-encr
>
>
> Hello,
>
> I am trying to build a basic interop test case with freeswan <->
> cisco ios, using RSA keys.
> One of the basic case was to test it using RSA keys but without
> the help of certificates. After investigation, my opinion is that
> using RSA without certificates is only supported on cisco if
> using "RSA encrypted nonces authentication method" (rsa-encr
> flag) ... which is an unsupported authentication method for freeswan.
>
> As the question has already been asked on this list (see archive
> : Aug 2002) with an opposite opinion, i would be very interested
> by any information regarding the case.
>
> Thierry Boivin.
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Nov 05 2002 - 05:20:44 CET