[Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????

[Philippe Vouters]

In the two Cisco IOS versions I worked on (12.x and 15.x), it was very 
quite clear that PSK authentication implies running in Aggressive mode 
and RSA authentication forces Main mode. I can't tell anything about 
something else I have not tested.

I just rechecked. I can grant you that the 4 Shrew configuration files 
(PSK and RSA for each of the two Cisco IOS versions) I keep on my disk 
since then are so configured.

Much more, if you refer to either 
http://vouters.dyndns.org/tima/Linux-Shrew-Cisco_IOS-Configuring_Cisco_IOS_to_setup_an_Internet_VPN.html 
or its follow-up 
http://vouters.dyndns.org/tima/Linux-Cisco_IOS-Radius-OpenCA-Configuring_Linux_for_Cisco_IOS_AAA.html 
you won't notice any explicit Aggressive or Main mode setting in their 
respective Cisco IOS full configuration. And both Cisco IOS 
configurations work with both PSK and RSA authentications. This is 
explicitly stated in the second URL.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

On 02/24/2014 11:37 AM, Muenz, Michael wrote:
> Am4.02.2014 07:40, schrieb Paul Wouters:
>> On Mon, 24 Feb 2014, Philippe Vouters wrote:
>>
>>> By the way, with Cisco IOS, PSK implies Aggressive mode; RSA implies 
>>> Main mode.
>>
>> Not always. Cisco can do PSK with Main Mode as well. Perhaps the GUI
>> does not allow it, but the CLI does allow it. At least in some Cisco's
>> I have seen.
>>
>
> Can't find the original mail with the Aggressive mode stuff, but for 
> Site-2-Site VPNs, Cisco always uses MM per default, only the client 
> implies AM.
> I'm back at work in 3 weeks, then I can offer you full access to 
> multiple routers with different IOS if you like.
> If you have an address in Germany I could spend some old 836 routers 
> and a 886 (with defect ATM, but Ethernet is fine) for testing.
>
> Michael
>