Yes.

2012/3/15 Kingsley Charles <[email protected]>

> So you agree with me that the SKEY has PSK as an ingredient....
>
> With regards
> Kings
>
>
> On Wed, Mar 14, 2012 at 7:55 PM, Joe Astorino 
> <[email protected]>wrote:
>
>> Piotr,
>>
>> Perfect explanation, thank you!  I didn't have the DH in front of me
>> late last night (early this morning hehe) but now it is plain to
>> see... Kings, if you take a look at the DH exchange you will see Piotr
>> is spot on.  MM3 and MM4 are only exchanges of DH public values and
>> noonces.  It is after MM4 but before MM5 that the shared secret
>> derived from DH is actually calculated, and also during this time SKEY
>> is generated, which is partly based on the PSK.
>>
>> It makes sense now...I was on the right track, but missing some of the
>> small details (and you all know how much I love the details!)
>>
>> On Wed, Mar 14, 2012 at 6:44 AM, Piotr Matusiak <[email protected]> wrote:
>> > Hi Joe,
>> >
>> >
>> > PSK is not used by DH but it is required to be known after DH exchange
>> and
>> > before sending MM5. This is a real disadvantage (and security risk) when
>> > you're using MM with PSK.
>> > You're right saying that PSK in EasyVPN must be known earlier as all
>> > information (including ID Payload) is sent using AM Msg#1. This is only
>> used
>> > with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN this
>> is
>> > done with MM.
>> >
>> > Using AM with RSA-sig is also possible but not recommended.
>> >
>> > Regards,
>> > Piotr
>> >
>> > 2012/3/14 Joe Astorino <[email protected]>
>> >>
>> >> Oh. I think it is because the PSK is used as part of the DH key
>> >> exchange in MM4. If the server does not have the group ID at that
>> >> point (because it is not communicated to the server until MM5) it
>> >> would be unable to deduce what PSK to use for DH key exchange. Is that
>> >> right?
>> >>
>> >> Conversely with rsa-sig obviously the PSK is not used in the DH key
>> >> exchange so we can proceed with MM
>> >>
>> >> Sorry it seems I have been answering my own questions after pondering
>> >> them a bit. Also, when learning fresh things I always need lots of
>> >> reassurance I got it right : )
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On 3/14/12, Joe Astorino <[email protected]> wrote:
>> >> > Can anybody help me understand why EZVPN with PSK auth uses IKE MM
>> but
>> >> > with rsa-sig uses IKE AM?
>> >> >
>> >> > I get that in aggrssive mode we pass the IKE ID in clear text and
>> that
>> >> > the ID we pass identifies the group name and thus allows the server
>> to
>> >> > find the PSK configured for the group.
>> >> >
>> >> > I am just fuzzy on why that can't still happen with IKE MM encrypted
>> >> > in MM5. Thanks!
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Sent from my mobile device
>> >> >
>> >> > Regards,
>> >> >
>> >> > Joe Astorino
>> >> > CCIE #24347
>> >> > http://astorinonetworks.com
>> >> >
>> >> > "He not busy being born is busy dying" - Dylan
>> >> >
>> >>
>> >> --
>> >> Sent from my mobile device
>> >>
>> >> Regards,
>> >>
>> >> Joe Astorino
>> >> CCIE #24347
>> >> http://astorinonetworks.com
>> >>
>> >> "He not busy being born is busy dying" - Dylan
>> >> _______________________________________________
>> >> For more information regarding industry leading CCIE Lab training,
>> please
>> >> visit www.ipexpert.com
>> >>
>> >> Are you a CCNP or CCIE and looking for a job? Check out
>> >> www.PlatinumPlacement.com
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347
>> http://astorinonetworks.com
>>
>> "He not busy being born is busy dying" - Dylan
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to