Cisco != consistency

Posted: October 28, 2011 in technical
Tags: , , ,

You do remember my love for this magnificent vendor. Now I am looking at an IKEv2 configuration when using RSA X.509 digital certificates.

The trust-point is defined as for any Cisco switch.

If for IKEv1, I would configure RSA-SIG auth like this:

crypto ikev1 enable untrusted
crypto ikev1 policy 1
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 5
 lifetime 3600

– Usually this is enough for the Phase 1 – authentication to take place. We have RSA, we need to use RSA for authentication.

But for IKEv2, trying to be CONSISTENT, a basic requirement for any equipment on the market, is done like this:

crypto ikev2 enable untrusted
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 3600
tunnel-group myIPsecGroup ipsec-attributes
 peer-id-validate cert
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate myTrustPointCA

I would sadly add: don’t you find it naturally that in IKEv2, the authentication has no place in the Phase 1 definition, but rather somewhere below, where I define the transform-sets (which, by the way, in IKEv2 are called differently) for the Phase 2 ??!!!

Not mentioning the fact that Cisco is the latest guy to arrive at the finish line with IKEv2 (heey, we are in 2011!!), they proved us again what a professional company it is. I would expect a no-name company from China not to be able to accomplish one of the most important requirements of professional software design: Consistency, but…Cisco? 😦


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s