|
||||||||
Claude Morin wrote: >Because people keep talking about using aggressive mode: from my admittedly >limited reading, it seems to me that using aggressive mode is a very bad >idea anyway. Can anyone comment authoritatively? > >-klode > > > Aggressive Mode is often used to connect clients with dynamic IPs together with Pre-Shared Keys. In aggressive Mode PSK-Hash and identity information are transmitted in clear text and so enables the correlation of PSK/connection<->dynamic client. The clear text transmission enables an attack on the key. When hacked it would allow using the tunnel from everywhere because there is no IP restriction. See: http://www.ernw.de/download/pskattack.pdf I have no problem using aggressive tunnels and always use keys with >20 chars and recommend this setup if there is no other way (meaning no possibility using certificates). Regards Bjoern |