ipsec

HSC - IPsec - IPsec 2000 Interop Demo body {margin: 0; font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;} td {margin: 0; font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;} a {color: #6178B3; text-decoration: none;} a.ablack {font-family: arial,helvetica,sans-serif; font-size: 11px; color: #000000;} a.vblack {font-family: verdana,arial,helvetica,sans-serif; font-size: 10px; color: #000000;} a.vwhite {font-family: verdana,arial,helvetica,sans-serif; font-size: 10px; color: #FFFFFF;} a.ablack {font-family: arial,helvetica,sans-serif; font-size: 11px; color: #000000;} a.vblack {font-family: verdana,arial,helvetica,sans-serif; font-size: 10px; color: #000000;} a.footer {font-family: arial,helvetica,sans-serif; font-size: 10px; color: #707070;} a:hover, a:active {color: #CC0000;} Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet You are here: Home > Resources > IPsec > IPsec 2000 Interop Demo Search: Services Skills & Expertise Consulting Installation & Configuration News moniotring Vulnerabilities monitoring Audit & Assessment Penetration tests Vunerability assessment (TSAR) Technical assistance Training courses Conferences Agenda Past events Resources Thematic index Tips Lectures Courses Articles Tools (download) Techno-watch Company Hervй Schauer Job opportunities Credentials History Partnerships Associations Press Press review Press releases Publications Contacts How to reach us Specific inquiries Directions to our office Hotels near our office |">IPsec 2000 Interop Demo " VSPACE=6 HSPACE=3 SRC="/gif/fleche.fleche.gif" WIDTH=4 HEIGHT=6 ALT=">" VSPACE=6 HSPACE=3> Description This document and the associated sub-documents form a report on the tests which were conducted on the occasion of the setup of an interoperability demonstration platform for the IPsec 2000 conference " VSPACE=6 HSPACE=3 SRC="/gif/fleche.fleche.gif" WIDTH=4 HEIGHT=6 ALT=">" VSPACE=6 HSPACE=3> Dates 24-27 October 2000 - IPsec 2000 conference13 November 2000 - Publication of the results on www.hsc.fr " VSPACE=6 HSPACE=3 SRC="/gif/fleche.fleche.gif" WIDTH=4 HEIGHT=6 ALT=">" VSPACE=6 HSPACE=3> Table of content IntroductionImplementations testedNetwork LayoutTests conductedResults - Initial negotiationResults - SA deletion and renewalConfigurations and details on the implementations " VSPACE=6 HSPACE=3 SRC="/gif/fleche.fleche.gif" WIDTH=4 HEIGHT=6 ALT=">" VSPACE=6 HSPACE=3> Related documents IPsec 2001 - IKE Interoperability Demonstrations and Tests [October 2001 - ] IPsec theme " VSPACE=6 HSPACE=3 SRC="/gif/fleche.fleche.gif" WIDTH=4 HEIGHT=6 ALT=">" VSPACE=6 HSPACE=3> Author Ghislaine Labouret " VSPACE=6 HSPACE=3> Copyright © 2000, Hervй Schauer Consultants, all rights reserved. Introduction On the occasion of the IPsec 2000 conference, organised by Upper Side, an IKE/IPsec demonstration and test platform was set up. Vendors were invited to take part in the event, which was coordinated by HSC. HSC acted as an integrator, but mainly provided its expertise in network security (and in particular IPsec). The aims of this event were to: Demonstrate interoperability to the public Get a feeling of the feature level of current IPsec implementations This event was not a a bakeoff, its was not intended to perform exhaustive or advanced features testing. This report covers the tests performed during the two following stages: Preparation in HSC's office from thursday 19 to monday 23 October Network setup Tests so as to find working configurations Demonstration during the IPsec 2000 conference, from tuesday 24 to friday 27 october Implementations tested Four IPsec devices vendors participated: Alcatel, with Alcatel 7130 Secure VPN Gateway Check Point, with VPN-1 (v4.1 running on Windows NT 4.0) Nortel, with Contivity Extranet Switch 1500 (v3.0) RedCreek, with Ravlin 10 And HSC added two open-source implementations: FreeS/WAN (v1.6 running on Linux RedHat 6.2) KAME (v20001023 running on FreeBSD 4.1) In addition to these IPsec implementations, two network analysers were used: Ethereal, presented by HSC (Ethereal is free and open-source, available under Unix and Windows) NetCocoon Analyser, presented by its publisher, Matsushita Electric Works Finaly, the certificates used were generated localy using: OpenSSL Network layout All the devices were directly interconnected through an ethernet 10 base T network, simply made of two 16-ports hubs. The addressing plan was as follows: The following services were provided: Internet access ISDN router (192.168.1.1) with free ISP NATed :-( DNS server (192.168.1.40) ipsec2000.fr domain _vendor_.ipsec2000.fr sub-domains Anonymous FTP server for (quick and dirty) file exchange Certificate authority Tests conducted The test case was the following: Fully meshed, gateway-to-gateway VPN Protect all traffic between internal networks Use exclusively IKE (no manual IPsec) Phase 1 parameters: Main Mode, 3DES, SHA-1, DH group 2, default lifetimes Peer authentication: Pre-Shared Key RSA Signature Phase 2 parameters: No PFS Protect all traffic between internal networks Negotiate tunnel mode ESP (3DES, HMAC-SHA-1) No compression The situations which were tested were: Initial negotiation Voluntary SA deletion Rekeying Checking was performed using logs, pings and web accesses, and thanks to the network analysers. The tests were very IKE-oriented, no real IPsec-level test was performed (no fragementation test for example). Results - Initial negotiation Overall, few adaptations from the default configurations were necessary and few bugs were encountered. Pre-Shared Key Authentication All the implementations were able to interoperate (as initiator and as responder): for each situation, we were able to find a configuration which led to the creation of functional ISAKMP and IPsec SAs. RSA Signature Authentication Alcatel Not tested because we could not get the box to accept our certificates. Check Point Succesfully tested with KAME and Nortel. FreeS/WAN FreeS/WAN does not include certificate support, the public keys have to be exchanged off-line or via DNSSEC (There is an X.509 patch for FreeS/WAN, but we did not use it). Nortel and Check Point both require online certificate exchange, so they can not interoperate with FreeS/WAN. On the other hand, KAME can get public keys by off-line means; it correctly interoperates with FreeS/WAN using RSA-Sig authentication. KAME Successfully tested with Check Point, FreeS/WAN and Nortel. Nortel Successfully tested with Check Point and KAME. RedCreek The RSA signature authentication method is not available on this device. Results - SA deletion and renewal Voluntary SA deletion When an IPsec device deletes security assocaitions (end of lifetime or administrator's action), it is supposed to send "SA deletion" informational messages, so that the peer device can also delete the involved SAs. The set of tested devices follow this line of conduct, with the exception of: FreeS/WAN: does not send any SA deletion message and does not take received messages into account Check Point VPN-1: does not send any SA deletion message SA renewal Security associations renewal was not thoroughly tested. The tests conducted on IPsec SAs renewal were successful, no explicit test was conducted on IKE SAs renewal. Configurations and details on the implementations FreeS/WAN KAME Last modified on 23 October 2002 at 15:26:12 CET - webmaster@hsc.fr Information on this server - © 1989-2002 Hervй Schauer Consultants разделы втулка переходный дэнас крот dr neri karra кожгалантерея циклон батарейный бахила производитель билет балет перевод испанский купить джойстик выставочный витрина применение доломита огнестойкий краска комплексный сайт пошив корпоративный костюм билет хоккей ipsec