[strongSwan] ipsec secrets

yordanos beyene yordanosb at gmail.com
Tue Dec 11 10:26:53 CET 2012

Thank you so much Martin for the quick response.
 Now I understood. The IP address look up came into picture to address main
mode issue.


On Tue, Dec 11, 2012 at 12:53 AM, Martin Willi <martin at strongswan.org>wrote:

> Hi Jordan,
> > Is this expected? Can any one please explain to me whether there is
> > dependency between PSK selector and connection leftid/rightid?
> The problem is that with IKEv1 in Main Mode, you need the PSK before you
> even get the remote identity or could look up an associated
> configuration. Therefore, we use the following to get a PSK:
>      1. Try to find a PSK by the remote and local IP address. This will
>         yield the PSK in your configuration.
>      2. If no PSK is found, but we are using aggressive mode or act as
>         initiator, we can lookup the PSK using the peer identities.
>      3. If no PSK is found, the daemon tries to find a configuration by
>         the local and remote IP address, and then uses the
>         configurations peer identities to find a PSK.
> In practice, using different PSKs for clients without a static IP is
> difficult, IKEv1 just doesn't allow that. You could use aggressive mode
> where the identity is transferred in plain, but this makes you
> vulnerable to dictionary attacks against your PSK.
> So the recommendation is: Don't use PSKs for IKEv1 clients not having a
> static IP.
> Regards
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121211/ef4970d2/attachment.html>

More information about the Users mailing list