[Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????

Paul Wouters paul at nohats.ca
Mon Feb 24 20:03:06 EET 2014


On Mon, 24 Feb 2014, Philippe Vouters wrote:

> In the two Cisco IOS versions I worked on (12.x and 15.x), it was very quite 
> clear that PSK authentication implies running in Aggressive mode and RSA 
> authentication forces Main mode. I can't tell anything about something else I 
> have not tested.

It is because you were configuring roaming users. In Main Mode, the ID
comes too late for a PSK lookup based on ID, so you would only be able
to have 1 PSK for all your connections. In Aggressive Mode, the ID comes
in with the first packet, so you can have multiple connections with
different PSKs.

This is not an issue for site-to-site VPNs. They come in on static IPs.

It is also not an issue with RSA, because those do not take the IP
address into account for authentication like PSK does.

So you are right for your set of roaming user configurations. But you
cannot conclude all PSK connections must be in Aggressive Mode, or that
all RSA connections must be in Main Mode.

Paul


More information about the Swan-dev mailing list