hello, mick, i just read some part of rfc about IKE , and have some questions.
1.the implement of router and ipsec-tools are IKEv1 (as shown in version of IKE head of pakcet), so should we not see rfc 5596 but to see rfc 2407-2409?
2. rfc 2408 says :Certificate Request payloads SHOULD be included in an exchange whenever an appropriate directory service (e.g. Secure DNS [DNSSEC]) is not available to distribute certificates.
i found there is no cert request payload in the IKE packets between two host using ipsec-tools, is it right?
3. in the config of router(cisco or huawei), we must give the ca URL just like
ip host dns.com 192.168.5.148 //ca
server ip enrollment url
but in racoon of ipsec-tools, it seems we need not specify the ca url, i dont know how IKE protocl describe this behaviour
i think you have more knowledge about IKE protocol, and am looking forward to you advise. thank you very much.
From: Mick <email@example.com>
To: lin jia <firstname.lastname@example.org>
Sent: Friday, April 6, 2012 7:54 PM
[Ipsec-tools-users] help, about linux host connect to cisco router with ipsec?
On Thursday 05 Apr 2012 15:26:03 you wrote:
> Yes, the connect between cisco router and linux host is ok if i use psk(pre
> shared key) .
> In next step, i am going to try openswan to see if openswan can works well
> with cisco router in certification way.
I have used strongswan and it would not work - the same problem caused CERTREQ
to fail. However, openswan is different so it may work.
Good luck! :-)