[Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????
Philippe Vouters
philippe.vouters at laposte.net
Mon Feb 24 20:15:27 EET 2014
I only speak about something I did study, hard worked on and
successfully tested. Reality appears too often far more imprecise than
theory. This is all the story behind my long IT support career that I
carry on today with my Web site.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
On 02/24/2014 07:03 PM, Paul Wouters wrote:
> On Mon, 24 Feb 2014, Philippe Vouters wrote:
>
>> In the two Cisco IOS versions I worked on (12.x and 15.x), it was
>> very quite clear that PSK authentication implies running in
>> Aggressive mode and RSA authentication forces Main mode. I can't tell
>> anything about something else I have not tested.
>
> It is because you were configuring roaming users. In Main Mode, the ID
> comes too late for a PSK lookup based on ID, so you would only be able
> to have 1 PSK for all your connections. In Aggressive Mode, the ID comes
> in with the first packet, so you can have multiple connections with
> different PSKs.
>
> This is not an issue for site-to-site VPNs. They come in on static IPs.
>
> It is also not an issue with RSA, because those do not take the IP
> address into account for authentication like PSK does.
>
> So you are right for your set of roaming user configurations. But you
> cannot conclude all PSK connections must be in Aggressive Mode, or that
> all RSA connections must be in Main Mode.
>
> Paul
>
More information about the Swan-dev
mailing list