[Openswan Users] NAT-T and PSK
Paul Wouters
paul at xelerance.com
Wed Apr 19 18:00:15 CEST 2006
On Wed, 19 Apr 2006, Brian Candler wrote:
> > PSK security is partially based on the IP address. For NAT-T, this address
> > changes. As a result you can only group the entire internet together in one
> > PSK for "0.0.0.0/0", and all your clients need to know the same secret. The
> > more clients, the more risk your secret is imposed to.
>
> Unless you use Aggressive Mode.
And use one connection per client? Otherwise you still need a group secret.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list