電訊茶室's Archiver

角色 發表於 2018-3-2 10:28

IKEv2的认证是否可以用shared secret,而不用cert(RSA)?

[i=s] 本帖最後由 角色 於 2018-3-2 10:31 編輯 [/i]

因为用Cert是比较安全,但是安全是有点复杂,而IKEv2是可以接受1)shared secret,2)RSA Cert。

[url=https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/1_0/software/configuration/guide/security/security_Book/sec_ipsec_cgr1000.pdf]来源[/url]

[quote]The Cisco CG-OS router employs IKEv2 to authenticate to the destination router by using either a
pre-shared key (PSK) or by using RSA signatures with a Public Key Infrastructure (PKI). IKEv2 must
be configured on the source and destination router (peers) and both routers must employ the same
authentication method.
• PSK authenticates each router (peer) by requiring proof of possession of a shared secret. Each router
(peer) must have the same shared secret configured.
• RSA signatures employ a PKI-based method of authentication. (See Configuring PKI, page 6-1.)
IKEv2 interacts with PKI to obtain the identity certificates and to validate the peer (such as Cisco
CG-OS router and head-end router) certificates.[/quote]

如果RouterOS能接纳同时接纳两个认证就最好了!!!

More information on RouterOS IKEv2
[url]https://forum.mikrotik.com/viewtopic.php?t=116865[/url]

gfx86674 發表於 2018-3-19 00:29

[quote]因为用Cert是比较安全,但是安全是有点复杂,而IKEv2是可以接受1)shared secret,2)RSA Cert。
如果 ...
[size=2][color=#999999]角色 發表於 2018-3-2 10:28[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=44636&ptid=7141][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]
iOS可用ipsec ,用shared secret認證.

但連線範圍只有/16 (255.255.0.0) ,
也就是ipsec上線後除了192.168.0.0/16範圍可連接外 ,其它網際網路服務都會中斷.

角色 發表於 2018-5-14 19:23

用IPSec是可以,但是只能接到对面的devices,而不用把所有traffic都经过remote gateway走。

頁: [1]

Powered by Discuz! Archiver 7.2  © 2001-2009 Comsenz Inc.