[strongSwan] Fwd: Re:

Ashutosh Datta ashutoshdatta at gmail.com
Fri Jun 18 07:03:41 CEST 2010 

Hi all,
Can someone throw some more light on this problem of mine. If this cannot be
achieved in Main mode of IKEv1, aggressive mode is the other option.

I understand that it is against the philosophy of Strongswan.

thanks
ashutosh

--------------------------------------------------------------------
Hi,

>  whether we can configure different pre-shared keys for each remote
> VPN client (having a DHCP IP) using ids in IKEv1 "Main Mode".

No, this is not possible.

Please keep the discussion on the list if you need more details, im not
an IKEv1 expert.

Regards
Martin

--------------------------------------------------------------------
Hi Martin,
    I have a quick question, as to whether we can configure different
pre-shared keys for each remote VPN client (having a DHCP IP) using ids in
IKEv1 "Main Mode". If so can describe it briefly.

I am referring to RFC2409 Section 5.4, which talks about additional
capabilities of Aggressive mode as compared to Main mode.

******************************
************************************************************

5.4 Phase 1 Authenticated With a Pre-Shared Key

   A key derived by some out-of-band mechanism may also be used to
   authenticate the exchange. The actual establishment of this key is
   out of the scope of this document.


   When doing a pre-shared key authentication, Main Mode is defined as
   follows:

              Initiator                        Responder
             ----------                       -----------
              HDR, SA             -->

                                  <--    HDR, SA
              HDR, KE, Ni         -->
                                  <--    HDR, KE, Nr
              HDR*, IDii, HASH_I  -->
                                  <--    HDR*, IDir, HASH_R


   Aggressive mode with a pre-shared key is described as follows:

            Initiator                        Responder
           -----------                      -----------
            HDR, SA, KE, Ni, IDii -->

                                  <--    HDR, SA, KE, Nr, IDir, HASH_R
            HDR, HASH_I           -->

   *When using pre-shared key authentication with Main Mode the key can

   only be identified by the IP address of the peers since HASH_I must
   be computed before the initiator has processed IDir. Aggressive Mode
   allows for a wider range of identifiers of the pre-shared secret to

   be used. In addition, Aggressive Mode allows two parties to maintain
   multiple, different pre-shared keys and identify the correct one for
   a particular exchange.*

******************************************************************************************
thanks
ashutosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100618/0f744402/attachment.html>

More information about the Users mailing list