Hi all,<br>Can someone throw some more light on this problem of mine. If this cannot be achieved in Main mode of IKEv1, aggressive mode is the other option. <br><br>I understand that it is against the philosophy of Strongswan. <br>
<br>thanks <br>ashutosh<br><br>--------------------------------------------------------------------<br>Hi,<br>
<div class="im"><br>
> whether we can configure different pre-shared keys for each remote<br>
> VPN client (having a DHCP IP) using ids in IKEv1 "Main Mode".<br>
<br>
</div>No, this is not possible.<br>
<br>
Please keep the discussion on the list if you need more details, im not<br>
an IKEv1 expert.<br>
<br>
Regards<br>
<font color="#888888">Martin<br>
</font><br>--------------------------------------------------------------------<br>Hi Martin, <br> I have a quick question, as to whether we can
configure different pre-shared keys for each remote VPN client (having a
DHCP IP) using ids in IKEv1 "Main Mode". If so can describe it briefly.<br>
<br>I am referring to RFC2409 Section 5.4, which talks about additional
capabilities of Aggressive mode as compared to Main mode.<br><br>******************************<div id=":4s" class="ii gt">************************************************************<br>
<pre>5.4 Phase 1 Authenticated With a Pre-Shared Key<br><br> A key derived by some out-of-band mechanism may also be used to<br> authenticate the exchange. The actual establishment of this key is<br> out of the scope of this document.<br>
<br><br> When doing a pre-shared key authentication, Main Mode is defined as<br> follows:<br><br> Initiator Responder<br> ---------- -----------<br>
HDR, SA --><br><br> <-- HDR, SA<br> HDR, KE, Ni --><br> <-- HDR, KE, Nr<br> HDR*, IDii, HASH_I --><br>
<-- HDR*, IDir, HASH_R<br><br><br> Aggressive mode with a pre-shared key is described as follows:<br><br> Initiator Responder<br> ----------- -----------<br>
HDR, SA, KE, Ni, IDii --><br><br> <-- HDR, SA, KE, Nr, IDir, HASH_R<br> HDR, HASH_I --><br><br> <font size="4"><b><font size="2">When using pre-shared key authentication with Main Mode the key can<br>
<br> only be identified by the IP address of the peers since HASH_I must<br> be computed before the initiator has processed IDir. Aggressive Mode<br> allows for a wider range of identifiers of the pre-shared secret to<br>
<br> be used.</font> In addition, Aggressive Mode allows two parties to maintain<br> multiple, different pre-shared keys and identify the correct one for<br> a particular exchange.</b></font><br></pre><div style="overflow: hidden; color: rgb(0, 0, 0); background-color: transparent; text-align: left; text-decoration: none; border: medium none;">
******************************************************************************************<br>thanks<br>ashutosh<br><br><br><br>
</div> <br></div><br>