> > > One thing of note if you have the normal sort of roadwarriors > (i.e., they > > have variable ip addresses). Because of what most consider a > flaw in the > > IPSec specification, if you use pre-shared keys, you will have > *one* PSK for > > *all* roadwarriors. > > Not a flaw in IPSec just a flaw in implementation of whatever IPSec > implementation you are running. I have one PSK per remote site here and it > works perfectly. I use a hardware IPSec card to do all the work. Each > connection essentially has a full clone of the connection and can be > started and stopped at will.
No, a flaw in the ipsec specification. Do your remote sites all have variable IP addresses? If so, how do you distinguish them from one another before verifying PSK's? According to the spec, identity exchange occurs in (I believe) phase 2, after psk's have been used to establish the encrypted isakmp session. I could be wrong about this, but people who know more about this than I do have repeatedly told me that this is how it's done. But, no matter what, we have digressed severely from things netfilter-related. -Joe
