[strongSwan] IKEv1 and identifiers

Emeric POUPON emeric.poupon at stormshield.eu
Thu Jun 29 18:03:57 CEST 2017


Hello,

As far as I understand, if we set leftid or rightid to something other than an IP address, we have to turn on the agressive mode by design (https://tools.ietf.org/html/rfc2409#section-5.4)
This significantly degrades the security since as you say in https://wiki.strongswan.org/projects/strongswan/wiki/FAQ the hashes are in clear on the wire.

But if you force both leftid and rightid, I guess you have all the necessary materials to compute the required hashes?

To sum up, for compatibility reason, as soon as there is something other than an IP address, we have to activate the "i_dont_care_about_security_and_use_aggressive_mode_psk" option?

Emeric


More information about the Users mailing list