[ previous ] [ next ] [ threads ]
 
 From:  "Bjoern Euler (Lists at edain)" <lists at edain dot de>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Free VPN Client
 Date:  Sat, 18 Jun 2005 00:14:47 +0200
Claude Morin wrote:

>Because people keep talking about using aggressive mode: from my admittedly 
>limited reading, it seems to me that using aggressive mode is a very bad 
>idea anyway. Can anyone comment authoritatively?
>
>-klode
>
>  
>
Aggressive Mode is often used to connect clients with dynamic IPs 
together with Pre-Shared Keys. In aggressive Mode PSK-Hash and identity 
information are transmitted in clear text and so enables the correlation 
of PSK/connection<->dynamic client.
The clear text transmission enables an attack on the key. When hacked it 
would allow using the tunnel from everywhere because there is no IP 
restriction.
See: http://www.ernw.de/download/pskattack.pdf

I have no problem using aggressive tunnels and always use keys with >20 
chars and recommend this setup if there is no other way (meaning no 
possibility using certificates).

Regards

Bjoern