[Openswan Users] NAT-T and PSK
Paul Wouters
paul at xelerance.com
Tue Apr 18 20:42:15 CEST 2006
On Tue, 18 Apr 2006, Domingo Antonio wrote:
> Is presharedkeys compatible with NAT-T?
Possible but VERY STRONGLY discouraged.
> I'm asking this, because in racoon (ipsec-tools) documentation they
> say:
> "With NAT-T you shouldn't use PSK. Let's go on with certs..."
They are right.
PSK security is partially based on the IP address. For NAT-T, this address
changes. As a result you can only group the entire internet together in one
PSK for "0.0.0.0/0", and all your clients need to know the same secret. The
more clients, the more risk your secret is imposed to.
Paul
More information about the Users
mailing list