|
||||||||
Well there you go; it wasn't a total waste of electrons. I did learn something new. I had never made the connection RE. main mode only working with IP identifier, that was actually tripping me up just the other day while I was dinking around. All rants should end so well. ;) Josh McAllister > -----Original Message----- > From: Fred Wright [mailto:fw at well dot com] > Sent: Wednesday, February 09, 2005 7:25 PM > To: m0n0wall at lists dot m0n0 dot ch > Subject: RE: [m0n0wall] Monowall and Freeswan > > > On Wed, 9 Feb 2005, Josh McAllister wrote: > > > My bad, I assumed that people for which security was a significant > > concern would not waste time with aggressive mode. To me main mode is a > > given. I was in fact referring to main mode. > > I mentioned both cases, because main mode is most definitely *not* a > given. Due to a quirk in the way IKE works, when main mode is used with a > PSK, the only allowable peer identifier is the peer's IP address (RFC2409, > section 5.4). That precludes the use of main mode with any form of > dynamic IP, including "mobile clients". > > This restriction doesn't apply to public-key authentication, but m0n0wall > doesn't currently support that. And if that were the scenario we wouldn't > be arguing about the security of PSKs. :-) > > Fred Wright > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |