[Openswan Users] NAT-T and PSK
Brian Candler
B.Candler at pobox.com
Wed Apr 19 13:01:07 CEST 2006
On Tue, Apr 18, 2006 at 07:42:15PM +0200, Paul Wouters wrote:
> On Tue, 18 Apr 2006, Domingo Antonio wrote:
>
> > Is presharedkeys compatible with NAT-T?
>
> Possible but VERY STRONGLY discouraged.
>
> > I'm asking this, because in racoon (ipsec-tools) documentation they
> > say:
> > "With NAT-T you shouldn't use PSK. Let's go on with certs..."
>
> They are right.
>
> PSK security is partially based on the IP address. For NAT-T, this address
> changes. As a result you can only group the entire internet together in one
> PSK for "0.0.0.0/0", and all your clients need to know the same secret. The
> more clients, the more risk your secret is imposed to.
Unless you use Aggressive Mode.
More information about the Users
mailing list