Oh. I think it is because the PSK is used as part of the DH key exchange in MM4. If the server does not have the group ID at that point (because it is not communicated to the server until MM5) it would be unable to deduce what PSK to use for DH key exchange. Is that right?
Conversely with rsa-sig obviously the PSK is not used in the DH key exchange so we can proceed with MM Sorry it seems I have been answering my own questions after pondering them a bit. Also, when learning fresh things I always need lots of reassurance I got it right : ) On 3/14/12, Joe Astorino <[email protected]> wrote: > Can anybody help me understand why EZVPN with PSK auth uses IKE MM but > with rsa-sig uses IKE AM? > > I get that in aggrssive mode we pass the IKE ID in clear text and that > the ID we pass identifies the group name and thus allows the server to > find the PSK configured for the group. > > I am just fuzzy on why that can't still happen with IKE MM encrypted > in MM5. Thanks! > > > > -- > Sent from my mobile device > > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > -- Sent from my mobile device Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
