03-17-2004 12:38 PM
Hi,
Pix have support to use RSA encr as authentication method, I found at documentation that PIX only supports RSA Sig (using CA) or pre-shared key...
Because I need to do a VPN site-to-site between a Cisco Router (that supports RSA encr) and a PIX.
If it is not supported when it will be available?
Tks
03-17-2004 05:21 PM
it likely is not, assuming you mean rsa encrypted nonces. IOS is the only cisco OS that supports it, pix os and vpn 3000 os do not.
just use pre shared keys.
03-18-2004 03:49 AM
The problem is that pre-shared keys are not acceptable for security reasons.
03-18-2004 03:49 AM
The problem is that pre-shared keys are not acceptable for security reasons.
03-18-2004 06:43 AM
then set up a CA with openssl, windows server, etc. rsa encrypted nonces do not provide for nonrepudiation, which is probably why support for their usage is hard to come by.
disclaimer - I am not a cryptographer:
using long pre shared keys, with one for each tunnel (i.e, not using the same key for every tunnel you will create) on a point to point tunnel (that will only be negotiated between two ip addresses, as opposed to a tunnel open for dynamic tunnel creation) is probably at least as secure as rsa nonces, if not more so. I would tend to think it would be more secure, as it should supply nonrepudiation as you can claim that both sides have the same key, and therefore must be liable for their actions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide