[Openswan Users] NAT-T and PSK

Paul Wouters paul at xelerance.com
Tue Apr 18 20:42:15 CEST 2006


On Tue, 18 Apr 2006, Domingo Antonio wrote:

> 	Is presharedkeys compatible with NAT-T?

Possible but VERY STRONGLY discouraged.

> 	I'm asking this, because in racoon (ipsec-tools) documentation they
> say:
> 	"With NAT-T you shouldn't use PSK. Let's go on with certs..."

They are right.

PSK security is partially based on the IP address. For NAT-T, this address
changes. As a result you can only group the entire internet together in one
PSK for "0.0.0.0/0", and all your clients need to know the same secret. The
more clients, the more risk your secret is imposed to.

Paul


More information about the Users mailing list