[ previous ] [ next ] [ threads ]
 
 From:  "Josh McAllister" <josh at bluehornet dot com>
 To:  "Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Monowall and Freeswan
 Date:  Wed, 9 Feb 2005 23:41:55 -0800
Well there you go; it wasn't a total waste of electrons. I did learn
something new. I had never made the connection RE. main mode only
working with IP identifier, that was actually tripping me up just the
other day while I was dinking around.

All rants should end so well. ;)

Josh McAllister


> -----Original Message-----
> From: Fred Wright [mailto:fw at well dot com]
> Sent: Wednesday, February 09, 2005 7:25 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Monowall and Freeswan
> 
> 
> On Wed, 9 Feb 2005, Josh McAllister wrote:
> 
> > My bad, I assumed that people for which security was a significant
> > concern would not waste time with aggressive mode. To me main mode
is a
> > given. I was in fact referring to main mode.
> 
> I mentioned both cases, because main mode is most definitely *not* a
> given.  Due to a quirk in the way IKE works, when main mode is used
with a
> PSK, the only allowable peer identifier is the peer's IP address
(RFC2409,
> section 5.4).  That precludes the use of main mode with any form of
> dynamic IP, including "mobile clients".
> 
> This restriction doesn't apply to public-key authentication, but
m0n0wall
> doesn't currently support that.  And if that were the scenario we
wouldn't
> be arguing about the security of PSKs. :-)
> 
> 					Fred Wright
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch