[strongSwan] ipsec secrets
yordanosb at gmail.com
Tue Dec 11 10:26:53 CET 2012
Thank you so much Martin for the quick response.
Now I understood. The IP address look up came into picture to address main
On Tue, Dec 11, 2012 at 12:53 AM, Martin Willi <martin at strongswan.org>wrote:
> Hi Jordan,
> > Is this expected? Can any one please explain to me whether there is
> > dependency between PSK selector and connection leftid/rightid?
> The problem is that with IKEv1 in Main Mode, you need the PSK before you
> even get the remote identity or could look up an associated
> configuration. Therefore, we use the following to get a PSK:
> 1. Try to find a PSK by the remote and local IP address. This will
> yield the PSK in your configuration.
> 2. If no PSK is found, but we are using aggressive mode or act as
> initiator, we can lookup the PSK using the peer identities.
> 3. If no PSK is found, the daemon tries to find a configuration by
> the local and remote IP address, and then uses the
> configurations peer identities to find a PSK.
> In practice, using different PSKs for clients without a static IP is
> difficult, IKEv1 just doesn't allow that. You could use aggressive mode
> where the identity is transferred in plain, but this makes you
> vulnerable to dictionary attacks against your PSK.
> So the recommendation is: Don't use PSKs for IKEv1 clients not having a
> static IP.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users