Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using RSA encr authentication on PIX

Hi,

Pix have support to use RSA encr as authentication method, I found at documentation that PIX only supports RSA Sig (using CA) or pre-shared key...

Because I need to do a VPN site-to-site between a Cisco Router (that supports RSA encr) and a PIX.

If it is not supported when it will be available?

Tks

4 REPLIES
Silver

Re: Using RSA encr authentication on PIX

it likely is not, assuming you mean rsa encrypted nonces. IOS is the only cisco OS that supports it, pix os and vpn 3000 os do not.

just use pre shared keys.

New Member

Re: Using RSA encr authentication on PIX

The problem is that pre-shared keys are not acceptable for security reasons.

New Member

Re: Using RSA encr authentication on PIX

The problem is that pre-shared keys are not acceptable for security reasons.

Silver

Re: Using RSA encr authentication on PIX

then set up a CA with openssl, windows server, etc. rsa encrypted nonces do not provide for nonrepudiation, which is probably why support for their usage is hard to come by.

disclaimer - I am not a cryptographer:

using long pre shared keys, with one for each tunnel (i.e, not using the same key for every tunnel you will create) on a point to point tunnel (that will only be negotiated between two ip addresses, as opposed to a tunnel open for dynamic tunnel creation) is probably at least as secure as rsa nonces, if not more so. I would tend to think it would be more secure, as it should supply nonrepudiation as you can claim that both sides have the same key, and therefore must be liable for their actions.

156
Views
0
Helpful
4
Replies