I have been working through the process of Diffie-Hellman key creation on cisco routers and am confused on where some of the integers for the initial "public key" come from: Xa=g^a modulo p where Xa is the public key generated, g is the generator, a is a private key/number(?) and p is a large prime number. The confusion comes is this form:
some texts say that g & p are exchanged between the routers prior to creating public key, others say they are well known numbers. Looking at the packet exchange of IKE messages from Saadat Malik's book shows there is no part of any packet that contains these values at all. Thus my confusion.
My only in roads into this question has been looking at the Oakley RFC 2412, where it stipulates that for Group 1(768 bits) or 2(1024 bits) the values "g" & "p" are specifically specified. So, where in fact does the router get these integers from? Are they exchanged in IKE setup (if so, at what point) or are they the integers specified in the Oakley RFC? or if none of these where/what/how/why? To add more to this fire, is "a" just randomly created? If not, where does it come from.
Because g and p are not exchanged as numbers. Your first assumption was right. Look into RFC 2409, page 21. There is some confusion about this, because there is an indirect negotiation of g and p. This is the "group" number, sometimes called Oakley or Diffie-Hellman group that is negotiated between both parties. In fact only the groups 1, 2, and 5 use the Diffie-Hellman algorithm and the values for g and p for each group are defined in the RFC.
The other question about the value "a": a is a private key/number which is randomly generated on each party.
Thank you so very much. I really appreciate the reply. What you say above confirms my understanding of how it all works. The sad thing is this simple little process is so misrepresented in many books and indeed even on some Cisco courses on the subject that it leaves people with a misguided and incorrect understanding of the process.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :