[Openswan Users] NAT-T and PSK

Paul Wouters paul at xelerance.com
Tue Apr 18 20:42:15 CEST 2006

On Tue, 18 Apr 2006, Domingo Antonio wrote:

> 	Is presharedkeys compatible with NAT-T?

Possible but VERY STRONGLY discouraged.

> 	I'm asking this, because in racoon (ipsec-tools) documentation they
> say:
> 	"With NAT-T you shouldn't use PSK. Let's go on with certs..."

They are right.

PSK security is partially based on the IP address. For NAT-T, this address
changes. As a result you can only group the entire internet together in one
PSK for "", and all your clients need to know the same secret. The
more clients, the more risk your secret is imposed to.


More information about the Users mailing list