[Openswan Users] NAT-T and PSK

Brian Candler B.Candler at pobox.com
Wed Apr 19 13:01:07 CEST 2006

On Tue, Apr 18, 2006 at 07:42:15PM +0200, Paul Wouters wrote:
> On Tue, 18 Apr 2006, Domingo Antonio wrote:
> > 	Is presharedkeys compatible with NAT-T?
> Possible but VERY STRONGLY discouraged.
> > 	I'm asking this, because in racoon (ipsec-tools) documentation they
> > say:
> > 	"With NAT-T you shouldn't use PSK. Let's go on with certs..."
> They are right.
> PSK security is partially based on the IP address. For NAT-T, this address
> changes. As a result you can only group the entire internet together in one
> PSK for "", and all your clients need to know the same secret. The
> more clients, the more risk your secret is imposed to.

Unless you use Aggressive Mode.

More information about the Users mailing list