[strongSwan] IKEv1 and identifiers
Emeric POUPON
emeric.poupon at stormshield.eu
Thu Jun 29 18:03:57 CEST 2017
Hello,
As far as I understand, if we set leftid or rightid to something other than an IP address, we have to turn on the agressive mode by design (https://tools.ietf.org/html/rfc2409#section-5.4)
This significantly degrades the security since as you say in https://wiki.strongswan.org/projects/strongswan/wiki/FAQ the hashes are in clear on the wire.
But if you force both leftid and rightid, I guess you have all the necessary materials to compute the required hashes?
To sum up, for compatibility reason, as soon as there is something other than an IP address, we have to activate the "i_dont_care_about_security_and_use_aggressive_mode_psk" option?
Emeric
More information about the Users
mailing list