返回列表 發帖

IKEv2的认证是否可以用shared secret,而不用cert(RSA)?

本帖最後由 角色 於 2018-3-2 10:31 編輯

因为用Cert是比较安全,但是安全是有点复杂,而IKEv2是可以接受1)shared secret,2)RSA Cert。

来源

The Cisco CG-OS router employs IKEv2 to authenticate to the destination router by using either a
pre-shared key (PSK) or by using RSA signatures with a Public Key Infrastructure (PKI). IKEv2 must
be configured on the source and destination router (peers) and both routers must employ the same
authentication method.
• PSK authenticates each router (peer) by requiring proof of possession of a shared secret. Each router
(peer) must have the same shared secret configured.
• RSA signatures employ a PKI-based method of authentication. (See Configuring PKI, page 6-1.)
IKEv2 interacts with PKI to obtain the identity certificates and to validate the peer (such as Cisco
CG-OS router and head-end router) certificates.


如果RouterOS能接纳同时接纳两个认证就最好了!!!

More information on RouterOS IKEv2
https://forum.mikrotik.com/viewtopic.php?t=116865

用IPSec是可以,但是只能接到对面的devices,而不用把所有traffic都经过remote gateway走。

TOP

因为用Cert是比较安全,但是安全是有点复杂,而IKEv2是可以接受1)shared secret,2)RSA Cert。
如果 ...
角色 發表於 2018-3-2 10:28

iOS可用ipsec ,用shared secret認證.

但連線範圍只有/16 (255.255.0.0) ,
也就是ipsec上線後除了192.168.0.0/16範圍可連接外 ,其它網際網路服務都會中斷.

TOP

返回列表