With PSK, the pre-shared keys are used for keying material to generate keys and the Server uses the group name to find the keys.
Now for RSA-SIG, I am sure, if the IKE AM message supports carrying signatures hashes. That could be the reason. Never tried that. With regards Kings On Wed, Mar 14, 2012 at 2:41 PM, Joe Astorino <[email protected]>wrote: > Oh. I think it is because the PSK is used as part of the DH key > exchange in MM4. If the server does not have the group ID at that > point (because it is not communicated to the server until MM5) it > would be unable to deduce what PSK to use for DH key exchange. Is that > right? > > Conversely with rsa-sig obviously the PSK is not used in the DH key > exchange so we can proceed with MM > > Sorry it seems I have been answering my own questions after pondering > them a bit. Also, when learning fresh things I always need lots of > reassurance I got it right : ) > > > > > > On 3/14/12, Joe Astorino <[email protected]> wrote: > > Can anybody help me understand why EZVPN with PSK auth uses IKE MM but > > with rsa-sig uses IKE AM? > > > > I get that in aggrssive mode we pass the IKE ID in clear text and that > > the ID we pass identifies the group name and thus allows the server to > > find the PSK configured for the group. > > > > I am just fuzzy on why that can't still happen with IKE MM encrypted > > in MM5. Thanks! > > > > > > > > -- > > Sent from my mobile device > > > > Regards, > > > > Joe Astorino > > CCIE #24347 > > http://astorinonetworks.com > > > > "He not busy being born is busy dying" - Dylan > > > > -- > Sent from my mobile device > > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
