Claude Morin wrote:
>Because people keep talking about using aggressive mode: from my admittedly
>limited reading, it seems to me that using aggressive mode is a very bad
>idea anyway. Can anyone comment authoritatively?
Aggressive Mode is often used to connect clients with dynamic IPs
together with Pre-Shared Keys. In aggressive Mode PSK-Hash and identity
information are transmitted in clear text and so enables the correlation
of PSK/connection<->dynamic client.
The clear text transmission enables an attack on the key. When hacked it
would allow using the tunnel from everywhere because there is no IP
I have no problem using aggressive tunnels and always use keys with >20
chars and recommend this setup if there is no other way (meaning no
possibility using certificates).