[strongSwan] Fwd: Re:
Ashutosh Datta
ashutoshdatta at gmail.com
Fri Jun 18 07:03:41 CEST 2010
Hi all,
Can someone throw some more light on this problem of mine. If this cannot be
achieved in Main mode of IKEv1, aggressive mode is the other option.
I understand that it is against the philosophy of Strongswan.
thanks
ashutosh
--------------------------------------------------------------------
Hi,
> whether we can configure different pre-shared keys for each remote
> VPN client (having a DHCP IP) using ids in IKEv1 "Main Mode".
No, this is not possible.
Please keep the discussion on the list if you need more details, im not
an IKEv1 expert.
Regards
Martin
--------------------------------------------------------------------
Hi Martin,
I have a quick question, as to whether we can configure different
pre-shared keys for each remote VPN client (having a DHCP IP) using ids in
IKEv1 "Main Mode". If so can describe it briefly.
I am referring to RFC2409 Section 5.4, which talks about additional
capabilities of Aggressive mode as compared to Main mode.
******************************
************************************************************
5.4 Phase 1 Authenticated With a Pre-Shared Key
A key derived by some out-of-band mechanism may also be used to
authenticate the exchange. The actual establishment of this key is
out of the scope of this document.
When doing a pre-shared key authentication, Main Mode is defined as
follows:
Initiator Responder
---------- -----------
HDR, SA -->
<-- HDR, SA
HDR, KE, Ni -->
<-- HDR, KE, Nr
HDR*, IDii, HASH_I -->
<-- HDR*, IDir, HASH_R
Aggressive mode with a pre-shared key is described as follows:
Initiator Responder
----------- -----------
HDR, SA, KE, Ni, IDii -->
<-- HDR, SA, KE, Nr, IDir, HASH_R
HDR, HASH_I -->
*When using pre-shared key authentication with Main Mode the key can
only be identified by the IP address of the peers since HASH_I must
be computed before the initiator has processed IDir. Aggressive Mode
allows for a wider range of identifiers of the pre-shared secret to
be used. In addition, Aggressive Mode allows two parties to maintain
multiple, different pre-shared keys and identify the correct one for
a particular exchange.*
******************************************************************************************
thanks
ashutosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100618/0f744402/attachment.html>
More information about the Users
mailing list