Piotr Do you mean that psk is not used as an ingredient for generating the shared secret?
With regards Kings On Wed, Mar 14, 2012 at 4:14 PM, Piotr Matusiak <[email protected]> wrote: > Hi Joe, > > > PSK is not used by DH but it is required to be known after DH exchange and > before sending MM5. This is a real disadvantage (and security risk) when > you're using MM with PSK. > You're right saying that PSK in EasyVPN must be known earlier as all > information (including ID Payload) is sent using AM Msg#1. This is only > used with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN this > is done with MM. > > Using AM with RSA-sig is also possible but not recommended. > > Regards, > Piotr > > > 2012/3/14 Joe Astorino <[email protected]> > >> Oh. I think it is because the PSK is used as part of the DH key >> exchange in MM4. If the server does not have the group ID at that >> point (because it is not communicated to the server until MM5) it >> would be unable to deduce what PSK to use for DH key exchange. Is that >> right? >> >> Conversely with rsa-sig obviously the PSK is not used in the DH key >> exchange so we can proceed with MM >> >> Sorry it seems I have been answering my own questions after pondering >> them a bit. Also, when learning fresh things I always need lots of >> reassurance I got it right : ) >> >> >> >> >> >> On 3/14/12, Joe Astorino <[email protected]> wrote: >> > Can anybody help me understand why EZVPN with PSK auth uses IKE MM but >> > with rsa-sig uses IKE AM? >> > >> > I get that in aggrssive mode we pass the IKE ID in clear text and that >> > the ID we pass identifies the group name and thus allows the server to >> > find the PSK configured for the group. >> > >> > I am just fuzzy on why that can't still happen with IKE MM encrypted >> > in MM5. Thanks! >> > >> > >> > >> > -- >> > Sent from my mobile device >> > >> > Regards, >> > >> > Joe Astorino >> > CCIE #24347 >> > http://astorinonetworks.com >> > >> > "He not busy being born is busy dying" - Dylan >> > >> >> -- >> Sent from my mobile device >> >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
