From: lin j. <chi...@ya...> - 2012-04-08 12:56:10
|
hello, mick, i just read some part of rfc about IKE , and have some questions. 1.the implement of router and ipsec-tools are IKEv1 (as shown in version of IKE head of pakcet), so should we not see rfc 5596 but to see rfc 2407-2409? 2. rfc 2408 says :Certificate Request payloads SHOULD be included in an exchange whenever an appropriate directory service (e.g. Secure DNS [DNSSEC]) is notavailable to distribute certificates. i found there is no cert request payload in the IKE packets between two host using ipsec-tools, is it right? 3. in the config of router(cisco or huawei), we must give the ca URL just like ip host dns.com 192.168.5.148//ca server ip enrollment url http://192.168.5.148:80/certsrv/mscep/mscep.dll but in racoon of ipsec-tools, it seems we need not specify the ca url, i dont know how IKE protocl describe this behaviour i think you have more knowledge about IKE protocol, and am looking forward to you advise. thank you very much. ________________________________ From: Mick <mic...@gm...> To: lin jia <chi...@ya...> Sent: Friday, April 6, 2012 7:54 PM Subject: Re: [Ipsec-tools-users] help, about linux host connect to cisco router with ipsec? On Thursday 05 Apr 2012 15:26:03 you wrote: > Yes, the connect between cisco router and linux host is ok if i use psk(pre > shared key) . > > In next step, i am going to try openswan to see if openswan can works well > with cisco router in certification way. I have used strongswan and it would not work - the same problem caused CERTREQ to fail. However, openswan is different so it may work. Good luck! :-) -- Regards, Mick |