ipsec-tools: use aggressive mode when identifier is set.
From RFC 2409 section 5.4,
When using pre-shared key authentication with Main Mode the key can
only be identified by the IP address of the peers since HASH_I must
be computed before the initiator has processed IDir. Aggressive Mode
allows for a wider range of identifiers of the pre-shared secret to
be used. In addition, Aggressive Mode allows two parties to maintain
multiple, different pre-shared keys and identify the correct one for
a particular exchange.
From draft-ietf-ipsec-isakmp-xauth-06 section 8,
When using XAUTH with Pre-Shared keys, where the peer's IP address
is dynamic, Main Mode SHOULD NOT be used, and is STRONGLY
DISCOURAGED. In this particular scenario, the phase 1
authentication becomes suspect as the administrator has little
choice but to use one single Shared-Key for all users, and group-
shared keys are susceptible to social engineering attacks.
Change-Id: I2b414098ebb7624e4dc1be1416f746c523952d06
1 file changed
