As of LCOS 10.30, IKEv2 now supports Elliptic Curve Digital Signature Algorithm (ECDSA) as per RFC 4754 in addition to the authentication methods RSA Signature and Digital Signature.
ECDSA signatures are generally smaller than RSA signatures with comparable cryptographic strength. ECDSA keys and certificates also have significantly smaller file sizes than RSA-based keys and certificates. Furthermore, ECDSA operations are generally faster on most devices. The following methods are supported in IKEv2:
- ECDSA with SHA-256 on the P-256 curve
- ECDSA with SHA-384 on the P-384 curve
- ECDSA with SHA-512 on the P-521 curve
Note:
When using OpenSSL to generate certificates, the following predefined curves must be used as parameters for ECDSA in IKEv2:
- prime256v1 with ECDSA-256
- secp384r1 with ECDSA-384
- secp521r1 with ECDSA-512
Note: The following restrictions apply when using ECDSA:
- The negotiation of ECDSA within the Digital Signature method is not supported.
- ECDSA-based certificates currently cannot be generated by the LCOS‘s own CA. Similarly, it is not possible to obtain certificates automatically by means of SCEP. ECDSA certificates must be generated using an external application such as OpenSSL or XCA and then loaded into the device.
In LANconfig under , you can now select these methods for both Local authentication and Remote authentication.
