[strongSwan-dev] AGGRESIVE-MODE

Goshen, Ido (Ido) igoshen at avaya.com
Wed Feb 16 09:52:49 CET 2011



I understand StrongSWAN doesn't support AGGRESSIVE-MODE (AM) on purpose
as it is less secure.

>From StrongSWAN FAQ:

"Q: Does strongSwan support IKEv1 Aggressive Mode?

A: Quote from Andreas Steffen:
bq. No, strongSwan does not support IKEv1 Aggressive Mode and never
will. Otherwise we would have called the project "weakSwan"."

AM is very very common in the industry especially with remote-clients

The alternatives for AM are not that easy, market shift to IKEv2 will
probably take a while and RSA authentication requires PKI management.


Lack of AM  probably prevents wide implantation of the package.


Adding AM will make StrongSWAN a complete VPN Solution and the 1st
choice (when googling comparison with other packages it always appears
as StrongSWAN's big minus). Consider even somehow adding it disabled by
default (e.g. use require WEAK compilation flag or even as a patch) - so
one that will need it will need to be aware of it an actively enable it.


Are there considerations to add it to StrongSWAN's roadmap? 

Anyone known to be working on it?



-        Ido









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20110216/8301a100/attachment.html>

More information about the Dev mailing list