[strongSwan] ipsec secrets
yordanos beyene
yordanosb at gmail.com
Tue Dec 11 10:26:53 CET 2012
Thank you so much Martin for the quick response.
Now I understood. The IP address look up came into picture to address main
mode issue.
Best,
Jordan.
On Tue, Dec 11, 2012 at 12:53 AM, Martin Willi <martin at strongswan.org>wrote:
> Hi Jordan,
>
> > Is this expected? Can any one please explain to me whether there is
> > dependency between PSK selector and connection leftid/rightid?
>
> The problem is that with IKEv1 in Main Mode, you need the PSK before you
> even get the remote identity or could look up an associated
> configuration. Therefore, we use the following to get a PSK:
>
> 1. Try to find a PSK by the remote and local IP address. This will
> yield the PSK in your configuration.
> 2. If no PSK is found, but we are using aggressive mode or act as
> initiator, we can lookup the PSK using the peer identities.
> 3. If no PSK is found, the daemon tries to find a configuration by
> the local and remote IP address, and then uses the
> configurations peer identities to find a PSK.
>
> In practice, using different PSKs for clients without a static IP is
> difficult, IKEv1 just doesn't allow that. You could use aggressive mode
> where the identity is transferred in plain, but this makes you
> vulnerable to dictionary attacks against your PSK.
>
> So the recommendation is: Don't use PSKs for IKEv1 clients not having a
> static IP.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121211/ef4970d2/attachment.html>
More information about the Users
mailing list