On Mon, 24 Feb 2014, Philippe Vouters wrote:
In the two Cisco IOS versions I worked on (12.x and 15.x), it was very quite clear that PSK authentication implies running in Aggressive mode and RSA authentication forces Main mode. I can't tell anything about something else I have not tested.
It is because you were configuring roaming users. In Main Mode, the ID comes too late for a PSK lookup based on ID, so you would only be able to have 1 PSK for all your connections. In Aggressive Mode, the ID comes in with the first packet, so you can have multiple connections with different PSKs. This is not an issue for site-to-site VPNs. They come in on static IPs. It is also not an issue with RSA, because those do not take the IP address into account for authentication like PSK does. So you are right for your set of roaming user configurations. But you cannot conclude all PSK connections must be in Aggressive Mode, or that all RSA connections must be in Main Mode. Paul _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
