I only speak about something I did study, hard worked on and
successfully tested. Reality appears too often far more imprecise than
theory. This is all the story behind my long IT support career that I
carry on today with my Web site.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:vout...@sip.linphone.org
On 02/24/2014 07:03 PM, Paul Wouters wrote:
On Mon, 24 Feb 2014, Philippe Vouters wrote:
In the two Cisco IOS versions I worked on (12.x and 15.x), it was
very quite clear that PSK authentication implies running in
Aggressive mode and RSA authentication forces Main mode. I can't tell
anything about something else I have not tested.
It is because you were configuring roaming users. In Main Mode, the ID
comes too late for a PSK lookup based on ID, so you would only be able
to have 1 PSK for all your connections. In Aggressive Mode, the ID comes
in with the first packet, so you can have multiple connections with
different PSKs.
This is not an issue for site-to-site VPNs. They come in on static IPs.
It is also not an issue with RSA, because those do not take the IP
address into account for authentication like PSK does.
So you are right for your set of roaming user configurations. But you
cannot conclude all PSK connections must be in Aggressive Mode, or that
all RSA connections must be in Main Mode.
Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
