Yep, agreed. On Thu, Mar 15, 2012 at 11:35 AM, Kingsley Charles <[email protected]> wrote: > Except this line from me "Do you mean that psk is not used as an ingredient > for generating the shared secret?", did I tell anywhere the > DH is using PSK to generate the shared secret? > > In that line, I was referring shared secret to SKEID, may be that confused > everyone. > > From the beginning, I was trying to tell that the PSK is used along with > shared secret to generate the SKEIDs :-) > > DH is an algorithm that is just used in IKE. PSK doesn't come into picture > with DH.... > > > With regards > Kings > > > On Thu, Mar 15, 2012 at 6:09 PM, Joe Astorino <[email protected]> > wrote: >> >> Kings, >> >> The shared secret derived from DH key exchange in MM3/MM4 does not >> involve the PSK. If it did, the DH key exchange would have to define >> some variable for that, and it doesn't. DH key exchange is strictly a >> function of the variables defined (I believe the values are g, a or b, >> and p and none of those represents the PSK) >> >> After the shared secret is derived from DH exchange, THEN that shared >> secret is used in conjunction with the PSK to generate session keys >> (SKEY). This happens just before MM5. >> >> >> >> On 3/15/12, Kingsley Charles <[email protected]> wrote: >> > I still believe PSK is also used for generating the keys. >> > >> > There is no way we can check the internal working. But to prove that psk >> > is >> > used, IPSec VPN with psk requires the crypto isakmp key to be configured >> > with address not hostname. Hostnames can be used with Aggressive mode >> > only >> > with psk as authentication method. >> > >> > With regards >> > Kings >> > >> > On Thu, Mar 15, 2012 at 12:37 PM, Piotr Matusiak <[email protected]> wrote: >> > >> >> Yes. >> >> >> >> >> >> 2012/3/15 Kingsley Charles <[email protected]> >> >> >> >>> So you agree with me that the SKEY has PSK as an ingredient.... >> >>> >> >>> With regards >> >>> Kings >> >>> >> >>> >> >>> On Wed, Mar 14, 2012 at 7:55 PM, Joe Astorino >> >>> <[email protected]>wrote: >> >>> >> >>>> Piotr, >> >>>> >> >>>> Perfect explanation, thank you! I didn't have the DH in front of me >> >>>> late last night (early this morning hehe) but now it is plain to >> >>>> see... Kings, if you take a look at the DH exchange you will see >> >>>> Piotr >> >>>> is spot on. MM3 and MM4 are only exchanges of DH public values and >> >>>> noonces. It is after MM4 but before MM5 that the shared secret >> >>>> derived from DH is actually calculated, and also during this time >> >>>> SKEY >> >>>> is generated, which is partly based on the PSK. >> >>>> >> >>>> It makes sense now...I was on the right track, but missing some of >> >>>> the >> >>>> small details (and you all know how much I love the details!) >> >>>> >> >>>> On Wed, Mar 14, 2012 at 6:44 AM, Piotr Matusiak <[email protected]> >> >>>> wrote: >> >>>> > Hi Joe, >> >>>> > >> >>>> > >> >>>> > PSK is not used by DH but it is required to be known after DH >> >>>> > exchange >> >>>> and >> >>>> > before sending MM5. This is a real disadvantage (and security risk) >> >>>> when >> >>>> > you're using MM with PSK. >> >>>> > You're right saying that PSK in EasyVPN must be known earlier as >> >>>> > all >> >>>> > information (including ID Payload) is sent using AM Msg#1. This is >> >>>> only used >> >>>> > with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN >> >>>> > this >> >>>> is >> >>>> > done with MM. >> >>>> > >> >>>> > Using AM with RSA-sig is also possible but not recommended. >> >>>> > >> >>>> > Regards, >> >>>> > Piotr >> >>>> > >> >>>> > 2012/3/14 Joe Astorino <[email protected]> >> >>>> >> >> >>>> >> Oh. I think it is because the PSK is used as part of the DH key >> >>>> >> exchange in MM4. If the server does not have the group ID at that >> >>>> >> point (because it is not communicated to the server until MM5) it >> >>>> >> would be unable to deduce what PSK to use for DH key exchange. Is >> >>>> >> that >> >>>> >> right? >> >>>> >> >> >>>> >> Conversely with rsa-sig obviously the PSK is not used in the DH >> >>>> >> key >> >>>> >> exchange so we can proceed with MM >> >>>> >> >> >>>> >> Sorry it seems I have been answering my own questions after >> >>>> >> pondering >> >>>> >> them a bit. Also, when learning fresh things I always need lots of >> >>>> >> reassurance I got it right : ) >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> On 3/14/12, Joe Astorino <[email protected]> wrote: >> >>>> >> > Can anybody help me understand why EZVPN with PSK auth uses IKE >> >>>> >> > MM >> >>>> but >> >>>> >> > with rsa-sig uses IKE AM? >> >>>> >> > >> >>>> >> > I get that in aggrssive mode we pass the IKE ID in clear text >> >>>> >> > and >> >>>> that >> >>>> >> > the ID we pass identifies the group name and thus allows the >> >>>> >> > server >> >>>> to >> >>>> >> > find the PSK configured for the group. >> >>>> >> > >> >>>> >> > I am just fuzzy on why that can't still happen with IKE MM >> >>>> >> > encrypted >> >>>> >> > in MM5. Thanks! >> >>>> >> > >> >>>> >> > >> >>>> >> > >> >>>> >> > -- >> >>>> >> > Sent from my mobile device >> >>>> >> > >> >>>> >> > Regards, >> >>>> >> > >> >>>> >> > Joe Astorino >> >>>> >> > CCIE #24347 >> >>>> >> > http://astorinonetworks.com >> >>>> >> > >> >>>> >> > "He not busy being born is busy dying" - Dylan >> >>>> >> > >> >>>> >> >> >>>> >> -- >> >>>> >> Sent from my mobile device >> >>>> >> >> >>>> >> Regards, >> >>>> >> >> >>>> >> Joe Astorino >> >>>> >> CCIE #24347 >> >>>> >> http://astorinonetworks.com >> >>>> >> >> >>>> >> "He not busy being born is busy dying" - Dylan >> >>>> >> _______________________________________________ >> >>>> >> For more information regarding industry leading CCIE Lab training, >> >>>> please >> >>>> >> visit www.ipexpert.com >> >>>> >> >> >>>> >> Are you a CCNP or CCIE and looking for a job? Check out >> >>>> >> www.PlatinumPlacement.com >> >>>> > >> >>>> > >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> Regards, >> >>>> >> >>>> Joe Astorino >> >>>> CCIE #24347 >> >>>> http://astorinonetworks.com >> >>>> >> >>>> "He not busy being born is busy dying" - Dylan >> >>>> _______________________________________________ >> >>>> For more information regarding industry leading CCIE Lab training, >> >>>> please visit www.ipexpert.com >> >>>> >> >>>> Are you a CCNP or CCIE and looking for a job? Check out >> >>>> www.PlatinumPlacement.com >> >>>> >> >>> >> >>> >> >> >> > >> >> -- >> Sent from my mobile device >> >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan > >
-- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
