[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Monowall and Freeswan
 Date:  Wed, 9 Feb 2005 18:25:14 -0800 (PST)
On Wed, 9 Feb 2005, Josh McAllister wrote:

> My bad, I assumed that people for which security was a significant
> concern would not waste time with aggressive mode. To me main mode is a
> given. I was in fact referring to main mode.

I mentioned both cases, because main mode is most definitely *not* a
given.  Due to a quirk in the way IKE works, when main mode is used with a
PSK, the only allowable peer identifier is the peer's IP address (RFC2409,
section 5.4).  That precludes the use of main mode with any form of
dynamic IP, including "mobile clients".

This restriction doesn't apply to public-key authentication, but m0n0wall
doesn't currently support that.  And if that were the scenario we wouldn't
be arguing about the security of PSKs. :-)

					Fred Wright