Yes. 2012/3/15 Kingsley Charles <[email protected]>
> So you agree with me that the SKEY has PSK as an ingredient.... > > With regards > Kings > > > On Wed, Mar 14, 2012 at 7:55 PM, Joe Astorino > <[email protected]>wrote: > >> Piotr, >> >> Perfect explanation, thank you! I didn't have the DH in front of me >> late last night (early this morning hehe) but now it is plain to >> see... Kings, if you take a look at the DH exchange you will see Piotr >> is spot on. MM3 and MM4 are only exchanges of DH public values and >> noonces. It is after MM4 but before MM5 that the shared secret >> derived from DH is actually calculated, and also during this time SKEY >> is generated, which is partly based on the PSK. >> >> It makes sense now...I was on the right track, but missing some of the >> small details (and you all know how much I love the details!) >> >> On Wed, Mar 14, 2012 at 6:44 AM, Piotr Matusiak <[email protected]> wrote: >> > Hi Joe, >> > >> > >> > PSK is not used by DH but it is required to be known after DH exchange >> and >> > before sending MM5. This is a real disadvantage (and security risk) when >> > you're using MM with PSK. >> > You're right saying that PSK in EasyVPN must be known earlier as all >> > information (including ID Payload) is sent using AM Msg#1. This is only >> used >> > with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN this >> is >> > done with MM. >> > >> > Using AM with RSA-sig is also possible but not recommended. >> > >> > Regards, >> > Piotr >> > >> > 2012/3/14 Joe Astorino <[email protected]> >> >> >> >> Oh. I think it is because the PSK is used as part of the DH key >> >> exchange in MM4. If the server does not have the group ID at that >> >> point (because it is not communicated to the server until MM5) it >> >> would be unable to deduce what PSK to use for DH key exchange. Is that >> >> right? >> >> >> >> Conversely with rsa-sig obviously the PSK is not used in the DH key >> >> exchange so we can proceed with MM >> >> >> >> Sorry it seems I have been answering my own questions after pondering >> >> them a bit. Also, when learning fresh things I always need lots of >> >> reassurance I got it right : ) >> >> >> >> >> >> >> >> >> >> >> >> On 3/14/12, Joe Astorino <[email protected]> wrote: >> >> > Can anybody help me understand why EZVPN with PSK auth uses IKE MM >> but >> >> > with rsa-sig uses IKE AM? >> >> > >> >> > I get that in aggrssive mode we pass the IKE ID in clear text and >> that >> >> > the ID we pass identifies the group name and thus allows the server >> to >> >> > find the PSK configured for the group. >> >> > >> >> > I am just fuzzy on why that can't still happen with IKE MM encrypted >> >> > in MM5. Thanks! >> >> > >> >> > >> >> > >> >> > -- >> >> > Sent from my mobile device >> >> > >> >> > Regards, >> >> > >> >> > Joe Astorino >> >> > CCIE #24347 >> >> > http://astorinonetworks.com >> >> > >> >> > "He not busy being born is busy dying" - Dylan >> >> > >> >> >> >> -- >> >> Sent from my mobile device >> >> >> >> Regards, >> >> >> >> Joe Astorino >> >> CCIE #24347 >> >> http://astorinonetworks.com >> >> >> >> "He not busy being born is busy dying" - Dylan >> >> _______________________________________________ >> >> For more information regarding industry leading CCIE Lab training, >> please >> >> visit www.ipexpert.com >> >> >> >> Are you a CCNP or CCIE and looking for a job? Check out >> >> www.PlatinumPlacement.com >> > >> > >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
