[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reliable delete notifies





> Correct. As Jan Vilhuber so eloquently pointed out, our customers
> want remote access IPSEC VPN's without the hassle of deploying
> a PKI. Aggressive mode provides a viable (IMHO) solution for

certificates and PKI are there to authenticate public keys. there are
other ways to accomplish the same task. for example one can take hash of
the self signed certificate (or any certificate), convert it into base64
form, name it "shared non-secret" and pass this string around much like
you do with shared secrets. your peer will enter this string into his
ipsec device which will use it to verify authenticity of certificates
presented by his peers. you don't have to change ike or ipsec or
anything. you must just tweak your certificate validation routine to
accept certificates by theri hash, not by signature.

arne




References: