andreas.steffen at strongswan.org
Wed Feb 16 10:23:36 CET 2011
On 16.02.2011 09:52, Goshen, Ido (Ido) wrote:
> I understand StrongSWAN doesn’t support AGGRESSIVE-MODE (AM) on purpose
> as it is less secure.
> From StrongSWAN FAQ:
> “*Q:* /Does strongSwan support IKEv1 Aggressive Mode?/
> *A:* Quote from Andreas Steffen:
> bq. No, strongSwan does *not* support IKEv1 Aggressive Mode
> and *never* will. Otherwise we would have called the project "weakSwan".”
That's still true!
> AM is very very common in the industry especially with remote-clients
> The alternatives for AM are not that easy, market shift to IKEv2 will
> probably take a while and RSA authentication requires PKI management.
The IKEv2 RFC 4306 was released in December 2005 and we had strongSwan
4.0 out in spring 2006! The market has had more than five years to
shift and starting in 2010 we now see the emergence of commercial
IKEv2 products (Windows 7, Cisco IOS, Checkpoint, etc.)
> Lack of AM probably prevents wide implantation of the package.
We know that we are deliberately losing part of the market but
strongSwan's main focus is clearly on IKEv2 where we have by far
the strongest and most complete Open Source package.
> Adding AM will make StrongSWAN a complete VPN Solution and the 1^st
> choice (when googling comparison with other packages it always appears
> as StrongSWAN’s big minus). Consider even somehow adding it disabled by
> default (e.g. use require WEAK compilation flag or even as a patch) – so
> one that will need it will need to be aware of it an actively enable it.
> Are there considerations to add it to StrongSWAN’s roadmap?
> Anyone known to be working on it?
> - Ido
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Dev