[Ipsec-tools-users] Security question about NAT-T

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,
File samples/racoon.conf.sample-natt says: "With NAT-T you shouldn't use 
PSK. Let's go on with certs."
  Why pre-shared keys can be so bad together with NAT-T?

Also, is there any security difference between the cases
1) when we know client's IP address behind NAT and
2) when we don't, i.e. using "generate_policy on" in config file (right?)
I'm interested only in PSK related issues here.

This question may be not directly related to ipsec-tools, but there sure is
someone who can answer it ;)

Thanks.