Thank you so much Martin for the quick response. Now I understood. The IP address look up came into picture to address main mode issue.
Best, Jordan. On Tue, Dec 11, 2012 at 12:53 AM, Martin Willi <[email protected]>wrote: > Hi Jordan, > > > Is this expected? Can any one please explain to me whether there is > > dependency between PSK selector and connection leftid/rightid? > > The problem is that with IKEv1 in Main Mode, you need the PSK before you > even get the remote identity or could look up an associated > configuration. Therefore, we use the following to get a PSK: > > 1. Try to find a PSK by the remote and local IP address. This will > yield the PSK in your configuration. > 2. If no PSK is found, but we are using aggressive mode or act as > initiator, we can lookup the PSK using the peer identities. > 3. If no PSK is found, the daemon tries to find a configuration by > the local and remote IP address, and then uses the > configurations peer identities to find a PSK. > > In practice, using different PSKs for clients without a static IP is > difficult, IKEv1 just doesn't allow that. You could use aggressive mode > where the identity is transferred in plain, but this makes you > vulnerable to dictionary attacks against your PSK. > > So the recommendation is: Don't use PSKs for IKEv1 clients not having a > static IP. > > Regards > Martin > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
