So you agree with me that the SKEY has PSK as an ingredient.... With regards Kings
On Wed, Mar 14, 2012 at 7:55 PM, Joe Astorino <[email protected]>wrote: > Piotr, > > Perfect explanation, thank you! I didn't have the DH in front of me > late last night (early this morning hehe) but now it is plain to > see... Kings, if you take a look at the DH exchange you will see Piotr > is spot on. MM3 and MM4 are only exchanges of DH public values and > noonces. It is after MM4 but before MM5 that the shared secret > derived from DH is actually calculated, and also during this time SKEY > is generated, which is partly based on the PSK. > > It makes sense now...I was on the right track, but missing some of the > small details (and you all know how much I love the details!) > > On Wed, Mar 14, 2012 at 6:44 AM, Piotr Matusiak <[email protected]> wrote: > > Hi Joe, > > > > > > PSK is not used by DH but it is required to be known after DH exchange > and > > before sending MM5. This is a real disadvantage (and security risk) when > > you're using MM with PSK. > > You're right saying that PSK in EasyVPN must be known earlier as all > > information (including ID Payload) is sent using AM Msg#1. This is only > used > > with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN this is > > done with MM. > > > > Using AM with RSA-sig is also possible but not recommended. > > > > Regards, > > Piotr > > > > 2012/3/14 Joe Astorino <[email protected]> > >> > >> Oh. I think it is because the PSK is used as part of the DH key > >> exchange in MM4. If the server does not have the group ID at that > >> point (because it is not communicated to the server until MM5) it > >> would be unable to deduce what PSK to use for DH key exchange. Is that > >> right? > >> > >> Conversely with rsa-sig obviously the PSK is not used in the DH key > >> exchange so we can proceed with MM > >> > >> Sorry it seems I have been answering my own questions after pondering > >> them a bit. Also, when learning fresh things I always need lots of > >> reassurance I got it right : ) > >> > >> > >> > >> > >> > >> On 3/14/12, Joe Astorino <[email protected]> wrote: > >> > Can anybody help me understand why EZVPN with PSK auth uses IKE MM but > >> > with rsa-sig uses IKE AM? > >> > > >> > I get that in aggrssive mode we pass the IKE ID in clear text and that > >> > the ID we pass identifies the group name and thus allows the server to > >> > find the PSK configured for the group. > >> > > >> > I am just fuzzy on why that can't still happen with IKE MM encrypted > >> > in MM5. Thanks! > >> > > >> > > >> > > >> > -- > >> > Sent from my mobile device > >> > > >> > Regards, > >> > > >> > Joe Astorino > >> > CCIE #24347 > >> > http://astorinonetworks.com > >> > > >> > "He not busy being born is busy dying" - Dylan > >> > > >> > >> -- > >> Sent from my mobile device > >> > >> Regards, > >> > >> Joe Astorino > >> CCIE #24347 > >> http://astorinonetworks.com > >> > >> "He not busy being born is busy dying" - Dylan > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > > > > > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
