Vandana Brar wrote:
Interoperating with Sun Solaris, it is not clear how the keys are
getting generated on the solaris side of things. With an RFC compliant
implementation of the key generation on a peer device, we can confirm
that the following components of the key are the same:
- SKEYID
- SKEYID_a
- SKEYID_d
- SKEYID_e
- Encryption key
However, from solaris debugging command currently provided (ikeadm dump
p1), the* **encryption IV* does not match during the initiation
messaging (phase 1 SA setup exchange)
The RFC details are (RFC2409 Appendix B) :
" ….
In phase 1, material for the initialization vector (IV material) for
CBC mode encryption algorithms is derived from a hash of a
concatenation of the initiator's public Diffie-Hellman value and the
responder's public Diffie-Hellman value using the negotiated hash
algorithm.
…."
We have a standards compliant ike implementation which *does* generate
the IV per RFC2409. And I can confirm it *does* successfully negotiate a
set of keys with Solaris 10 iked. I don't know whether that is of any
assistance ;-).
We use exactly the same algorithm to successfully establish keys with
cisco, nortel, sonicwall and racoon peers :-)
Regards
Paul Winder
_______________________________________________
opensolaris-code mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
