From: VANHULLEBUS Y. <va...@fr...> - 2010-08-16 09:22:53
|
Hi. On Mon, Aug 09, 2010 at 09:44:18PM -0500, John Keith Hohm wrote: > The iPhone OS has a strange set of VPN features. Using L2TP over IPsec > it only supports main mode with pre-shared keys (no certificates). > Since L2TP provides the per-user authentication we want to use a single > pre-shared key for all VPN users, but this is hard to do with > ipsec-tools since racoon only supports pskey lookup by address when > identity protection is used and we do not know the address of the client > in advance. The attached patch adds a wildcard match to the psk.txt > reading code, specifying an id of * will match any client. Wildcard PSKs has been a long time "feature" request for this project, and until now, discussions in developer's team always had the same conclusion: we won't officially implement that, as it is so easy to use such "feature" to generate weak configuration. Things may change in the future, but actually, the first question I have before doing anything is not realated to the patch (I just didn't have a look at it for now ...), but to the feature request itself.... Is this really a good idea to add PSK wildcards in racoon ????? Yvan. |