Having just completed our IPSec implementation (and testing its compatibility
with most other IPSec implementations), I can tell you that the biggest hurdle
is its lack of an "accepted" key exchange mechanism. Currently we are using a
sneakernet, S/MIME or PGP manual exchange mechanism for keys. Both SKIP and
Photuris are still at the development stage and are not cross compatible.
In our own implementation we stuck with the basics, DES/3DES and Keyed MD5
header authentication with manual key exchange. We used Phil Karn's excellent
DES/3DES 80x86 assembly code for the encryption/decryption engine and get
about 10 megabits/sec on a 150 MHz Pentium (this code is in the public domain
and can be used by anyone). Phil's code has also made its way overseas
(through no fault of Phil's) so it can be used outside of the U.S. as well.
The Linux and BSD versions we tested were developed outside of the U.S. There
is *not* a lack of free code.
The encrypted-authenticated tunnels work like a charm even in a heterogeneous
network (IBM Secure Gateway, Linux IPSec, etc.) and we had no problems.
*Our* problem is that once you get into automated key exchanges you are
talking public key crypto and royalties out the ying-yang. DES/3DES and MD5
can be used royalty free. Not everyone can agree on which public key crypto
company to make rich by choosing a key exchange mechanism ;-) At least IBM
granted the use of its IKMP protocol for free in Photuris implementations (RFC
Until you can automatically swap keys, change them mid-session, and work with
any combination Firewall/OS, you will not have wide-spread acceptance of
Michael W. Chalkley Tel: +1.770.772.4567
ZapNet! Inc. Fax: +1.770.475.7640
Suite 400-120 E-mail: mikech @
10945 State Bridge Road mikech @
Alpharetta, GA 30202 http://www.iproute.com