Kings, The shared secret derived from DH key exchange in MM3/MM4 does not involve the PSK. If it did, the DH key exchange would have to define some variable for that, and it doesn't. DH key exchange is strictly a function of the variables defined (I believe the values are g, a or b, and p and none of those represents the PSK)
After the shared secret is derived from DH exchange, THEN that shared secret is used in conjunction with the PSK to generate session keys (SKEY). This happens just before MM5. On 3/15/12, Kingsley Charles <[email protected]> wrote: > I still believe PSK is also used for generating the keys. > > There is no way we can check the internal working. But to prove that psk is > used, IPSec VPN with psk requires the crypto isakmp key to be configured > with address not hostname. Hostnames can be used with Aggressive mode only > with psk as authentication method. > > With regards > Kings > > On Thu, Mar 15, 2012 at 12:37 PM, Piotr Matusiak <[email protected]> wrote: > >> Yes. >> >> >> 2012/3/15 Kingsley Charles <[email protected]> >> >>> So you agree with me that the SKEY has PSK as an ingredient.... >>> >>> With regards >>> Kings >>> >>> >>> On Wed, Mar 14, 2012 at 7:55 PM, Joe Astorino >>> <[email protected]>wrote: >>> >>>> Piotr, >>>> >>>> Perfect explanation, thank you! I didn't have the DH in front of me >>>> late last night (early this morning hehe) but now it is plain to >>>> see... Kings, if you take a look at the DH exchange you will see Piotr >>>> is spot on. MM3 and MM4 are only exchanges of DH public values and >>>> noonces. It is after MM4 but before MM5 that the shared secret >>>> derived from DH is actually calculated, and also during this time SKEY >>>> is generated, which is partly based on the PSK. >>>> >>>> It makes sense now...I was on the right track, but missing some of the >>>> small details (and you all know how much I love the details!) >>>> >>>> On Wed, Mar 14, 2012 at 6:44 AM, Piotr Matusiak <[email protected]> wrote: >>>> > Hi Joe, >>>> > >>>> > >>>> > PSK is not used by DH but it is required to be known after DH exchange >>>> and >>>> > before sending MM5. This is a real disadvantage (and security risk) >>>> when >>>> > you're using MM with PSK. >>>> > You're right saying that PSK in EasyVPN must be known earlier as all >>>> > information (including ID Payload) is sent using AM Msg#1. This is >>>> only used >>>> > with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN this >>>> is >>>> > done with MM. >>>> > >>>> > Using AM with RSA-sig is also possible but not recommended. >>>> > >>>> > Regards, >>>> > Piotr >>>> > >>>> > 2012/3/14 Joe Astorino <[email protected]> >>>> >> >>>> >> Oh. I think it is because the PSK is used as part of the DH key >>>> >> exchange in MM4. If the server does not have the group ID at that >>>> >> point (because it is not communicated to the server until MM5) it >>>> >> would be unable to deduce what PSK to use for DH key exchange. Is >>>> >> that >>>> >> right? >>>> >> >>>> >> Conversely with rsa-sig obviously the PSK is not used in the DH key >>>> >> exchange so we can proceed with MM >>>> >> >>>> >> Sorry it seems I have been answering my own questions after pondering >>>> >> them a bit. Also, when learning fresh things I always need lots of >>>> >> reassurance I got it right : ) >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> On 3/14/12, Joe Astorino <[email protected]> wrote: >>>> >> > Can anybody help me understand why EZVPN with PSK auth uses IKE MM >>>> but >>>> >> > with rsa-sig uses IKE AM? >>>> >> > >>>> >> > I get that in aggrssive mode we pass the IKE ID in clear text and >>>> that >>>> >> > the ID we pass identifies the group name and thus allows the server >>>> to >>>> >> > find the PSK configured for the group. >>>> >> > >>>> >> > I am just fuzzy on why that can't still happen with IKE MM >>>> >> > encrypted >>>> >> > in MM5. Thanks! >>>> >> > >>>> >> > >>>> >> > >>>> >> > -- >>>> >> > Sent from my mobile device >>>> >> > >>>> >> > Regards, >>>> >> > >>>> >> > Joe Astorino >>>> >> > CCIE #24347 >>>> >> > http://astorinonetworks.com >>>> >> > >>>> >> > "He not busy being born is busy dying" - Dylan >>>> >> > >>>> >> >>>> >> -- >>>> >> Sent from my mobile device >>>> >> >>>> >> Regards, >>>> >> >>>> >> Joe Astorino >>>> >> CCIE #24347 >>>> >> http://astorinonetworks.com >>>> >> >>>> >> "He not busy being born is busy dying" - Dylan >>>> >> _______________________________________________ >>>> >> For more information regarding industry leading CCIE Lab training, >>>> please >>>> >> visit www.ipexpert.com >>>> >> >>>> >> Are you a CCNP or CCIE and looking for a job? Check out >>>> >> www.PlatinumPlacement.com >>>> > >>>> > >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Joe Astorino >>>> CCIE #24347 >>>> http://astorinonetworks.com >>>> >>>> "He not busy being born is busy dying" - Dylan >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> > -- Sent from my mobile device Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
