From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 213411381F3 for ; Mon, 13 May 2013 05:16:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 60FC1E095C; Mon, 13 May 2013 05:16:40 +0000 (UTC) Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 01363E0937 for ; Mon, 13 May 2013 05:16:38 +0000 (UTC) Received: by mail-wg0-f45.google.com with SMTP id l18so6110035wgh.24 for ; Sun, 12 May 2013 22:16:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:reply-to:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=L8szmSPez36OdweydM7Tl5P+XqZ1ZAUd4ZhvfMOO8Ag=; b=yoFoCgOS0PPYt6SNkTrLXmFVaY3IAO7Itx6Zn+NWhLvtun+kLgoUzpginvMQptDGKh w+swsRnyrvL3KDhZcYGDUufN/phi2HYWKPzXEEjn15V6Z1NNoQa9l7ewpcHeqzen5yP0 ueCmUlsNqpl2A8yMFXHiWQnxPRFQ2BT2BbEhTHPEi3jvdDT3qB1bAjm1isiuI7iuAGRO JLNIsjEnwcKK2DrtmC/2pEdr6l7S0wWVV/LrFDGh8EzFa8geGFRnYdo/HjLNfBJLHfSW uEUTvS/BPnjP72tXdyzu02oRtCjCOvLq+0V9Q7i7ghjBGrNP1P2Rm0XXIyzyikBcHfD4 Hu7A== X-Received: by 10.194.10.129 with SMTP id i1mr28414803wjb.21.1368422197427; Sun, 12 May 2013 22:16:37 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPSA id ay7sm5561301wib.9.2013.05.12.22.16.35 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 12 May 2013 22:16:36 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Traffic Intensive IPSec Tunnel Date: Mon, 13 May 2013 06:16:18 +0100 User-Agent: KMail/1.13.7 (Linux/3.7.10-gentoo; KDE/4.10.2; x86_64; ; ) References: <201305120842.37821.michaelkintzios@gmail.com> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4520719.M3X3h7MIRT"; protocol="application/pkcs7-signature"; micalg=sha1 Content-Transfer-Encoding: 7bit Message-Id: <201305130616.31445.michaelkintzios@gmail.com> X-Archives-Salt: c9c18c71-d946-4dd2-98b0-2a8f19f5b40c X-Archives-Hash: d66dc8746bad7ca74a8e2eee9c6cdc40 --nextPart4520719.M3X3h7MIRT Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Monday 13 May 2013 03:13:27 Adam Carter wrote: > > You can read a comparison between the *Swans here, but things have moved > > on since; e.g. StrongSwan supports IKEv1 in Aggressive Mode, >=20 > Aggressive mode with pre-shared keys is vulnerable to offline dictionary > attack so you might as well use main mode. If for some reason you have to > use aggressive mode use a long randomly generated PSK. Indeed it is vulnerable, because the hash of the PSK is sent out in the=20 initial handshake. This can be captured by eavesdropping and cracked by br= ute=20 force off line. As suggested long keys help, especially if they are change= d=20 often. It is best, however, to not use a PSK at all and instead set up SSL=20 certificates for VPN gateway and client machines authentication and RSA=20 encryption. This makes it easy to revoke a single SSL certificate if a cli= ent=20 is compromised, instead of having to change PSKs for any number of machines= =20 that are using the VPN network. =2D-=20 Regards, Mick --nextPart4520719.M3X3h7MIRT Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMyjCCBz0w ggUloAMCAQICAQAwDQYJKoZIhvcNAQEEBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMV aHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5 MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDMwMzMwMTIyOTQ5WhcNMzMw MzI5MTIyOTQ5WjB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW EnN1cHBvcnRAY2FjZXJ0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM4iwOJG few2KAdQlvKgM0CMS/E7Zj8x5WsCNtvWfPbxiI9OdzYFQZX5CfASz0aGc2C3bn7owFhkrs2wrUUX DGP6Zwro1tK/PueYxPBM+uADuzVdbCHeniDZus1mMjdy+vcI9cfNWMmO5w5e6j7+HKEUChVshoRb ZGYqeqlLU3n1iKJ77i8KYSuNsn5NVqUT7Orakp6sREEeWGBlBWb4wES9y5T3Qn4L92VomFEF8PMF kQQdGxeC7MhXu8NreojxsHLMJVsgkewWAhKPMukXGEjQxwUuAjBCuCWcBWs/qjqn61NI9+jStgeY 3BvGNH9/yRyCegVYKwhb8ziiqxddZsmY154Qi6LS3XSa93EMcmDfzW+YM52WNHY+JHqSsA6VHm/m oEU4R6rXQe1KtxL21xuDig8u2Am2WdeqBP/Sk31oLt2LS6tYui+N6pWnoMNUiaX724tRIp2yw74R viyRhouWeK0g04ovGj/G0FFlhyGxGQFlf0Uch/V80EFMTymYIf0zH3UMBFH6GXfb1BQc7oHDHfWY t2kGkSLdAFDMgTGsEgd7ONpoW+Yr1H7JX63o63JM8wHlSyC/mqZXypEAAYuhdSE3tWMNZz5GT3Ag Z87F1lnbAuDw0svNumK3kEHo3SDkKbxkKULIItx4mv9D7JgbCVFLWlrCcfHEy3Op5aELAgMBAAGj ggHOMIIByjAdBgNVHQ4EFgQUFrUyG9TH8+DmjvO90rA67rI5GNEwgaMGA1UdIwSBmzCBmIAUFrUy G9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wMgYDVR0f BCswKTAnoCWgI4YhaHR0cHM6Ly93d3cuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDAGCWCGSAGG+EIB BAQjFiFodHRwczovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwNAYJYIZIAYb4QgEIBCcWJWh0 dHA6Ly93d3cuY2FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwVgYJYIZIAYb4QgENBEkWR1RvIGdl dCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5j YWNlcnQub3JnMA0GCSqGSIb3DQEBBAUAA4ICAQAox+6cggK6XIASyjUKHYFviWqZzPJoD3+n4Y1Y lT698gbDkFqstWD2mUMBo4hwnJ1inaSHr2dYDTA2O+atSNPLdAKGcT7iKwNo8TRiQEY7U+oo9Kz7 ZpVTik1d/TvZYNfKeWk7sWWSpsaBglyczetNAYql3xFVqhXKHzfAgphwYdtqfJajji5UPk8hqZDv 3IK/3OhFrU2Qcwg8lGWwBJl2f+K8wmoVqpcENyTYHpRObQ5RvtbEj8qWbfdD3+gwZSc7e7tDQ2PE Q/ey7GjM4RmOIvuY4XtaPgE3O4sIsKLzlU4ay5vNmrHbsnDwLUrb2LDjb0VIMxL//jwyKlT3xPeK 8Igjwkf+ZHpxwNEepmOwB36kL9MBj9yfK7bGCKkPk0gl/BL9n0Lc88Q+9lew191p0QZ3NApL0sqg /xzGjMkWvsTMMjdoc18I+1H3SVM2BQqVAkzyeRoQ9tg6dZzzHfGiDXBnhhuzFvUv5aTreYb5PQvC cwulmaxv/Ge45S8LphgkjXvRSDUpGECsk2DhloZQtHpZ2I8hC5/PgpHGO79r3AeRuZdWI6q2bJTG SAY85M5OquT2LwncU28u/HTrOmOZwqasibynskSgDYoQ42zyJMv6m59wRy7eFIvUsiAJlqJk8SQc 3KE1nBWy1LxVLn0G9ZwOVfRa1pPadq0lc0zFQzCCBYUwggNtoAMCAQICAwzunDANBgkqhkiG9w0B AQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBv cnRAY2FjZXJ0Lm9yZzAeFw0xMzAzMDQxNzQ4MDdaFw0xMzA4MzExNzQ4MDdaMEQxGDAWBgNVBAMT D0NBY2VydCBXb1QgVXNlcjEoMCYGCSqGSIb3DQEJARYZbWljaGFlbGtpbnR6aW9zQGdtYWlsLmNv bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+C5w894jBB7to6EJVzsHrD0LjXCHoD QYLp3/z+VdS/Mli1E322STGDajajdU4LvGtN4QNsRgpndSLYXZaLOc6vFR34TqXzIGnA936xXNTK 3e4QnRzv6ehKZaK3YObGv/YCZn6a1hLpFC9q9LqBddFgU0cEW/9b7DQvD4xvU/3GfuyuAWwcAooX 0ysPYGwLaj9z9VwRx6irjFjq6HS/0EFNSGivo9ZRUoHF39MjoS2xqHYCo2+z6W3HWpECMLicq8JW GGAmU0qf5UWxRuDuHo4bqYM+NYQXcH3I3IakBJ49Dw89EzyLEYG2wF5mcqFvWneHy35UszJ4oxsj 2nGBicMCAwEAAaOCAUkwggFFMAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5 b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisG AQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUH MAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5j YWNlcnQub3JnL3Jldm9rZS5jcmwwJAYDVR0RBB0wG4EZbWljaGFlbGtpbnR6aW9zQGdtYWlsLmNv bTANBgkqhkiG9w0BAQUFAAOCAgEAFgVmR4YbLJiO4HU6XnB5HheMWTg/2yzbstc0eRbve89hr68j h8Q//Shc1kuh1yKOvIrdaT+tZNuEriSNHwRmCb0WjP8biAtYQ1byWfeTkmg/z/KI8CW3/IFsBrBU KpwhkliLsJfIO19ELdTeisFNwS7bovb2CmoFtPxILxePbn2QwCTu+IwYW7M3fHR5TIQhfLCs0g5X 9DH1FGfw6CfuuhhriSoJzIQYxuSPmxpm22Y7EWWr/vkCCDBcB5KaPeHcbXUAY8b1+2zx5UiN01gp aLStHP2KSi41Bq14MojaqWNDg1kSKsGmyh5b+Yv3X0KHDYzGqBMmXzWSG+O/PL63JS5KbdCbFoPT pBRlXk737UV0grwy2L5tjmGQ6p36srvHVFicFrnln9ECRVA2UmPYj6bP6kb6pDHcp5Ac0SWYlMCZ 90voa90NokIVx+kwB8q+YOD1H8sLixmCTUhBIqkNpu7dxT3cibpEvYoBAIbjDhR5F9Oc2f0lOGAj gpYEL9QnFusnkbuZq+S31i5EgUVJP5G81tKhztMxFgLV9PaXwMxTdoooSt3hHaK4jXZxWMowPr1C 238wR2vKedSrBFelAXiFOw0wRC5PRm05Tpb/eAuPQlA3Os7uy3w0dhWyKUBXEK/WCLR0NYf/3iHJ LRZG7B2labbTX96ZVyruQ5l30yMxggIyMIICLgIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBB dXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDDO6cMAkGBSsOAwIa BQCggYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwNTEzMDUx NjIwWjAjBgkqhkiG9w0BCQQxFgQUh1LACKjOxxQmD3rJz7/jrnTFevEwKAYJKoZIhvcNAQkPMRsw GTALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQEBBQAEggEAGAkK8WXEuHc6YHG5 0Cr+kDcj0k9pxWfFmLT06ZoeexibaLyjDr69/1aiNWgRZXc7V5aI5u4BWEqxjf+L2HA4E5Z+QHsX neyqXaaEQGohw2sELu1/3SnINKy3Dp2PrO/N/bPbxuFU2Fewvya1Fb/5IBbrW1eIXTPs6wet+QCM GptOW3YLYr/KNObqLMFH283Tgmlt4bT55apPX+Kp4B9YNXrX99daBU097w7te6K9Reh5gEB232Jl +zVIW5t1dwq/J//WiDC6iUgCln0yFYSdgWPC8zJS+DgUmym0BcdI0lIEY8EzibdSsmZpPKcSgxQG vSa9lKwS8mVYyM8BqQzMuwAAAAAAAA== --nextPart4520719.M3X3h7MIRT--