Subject: Re: Cisco VPN interop
To: Wolfgang S. Rupprecht <wolfgang+gnus20040124T201156@dailyplanet.dontspam.wsrcc.com>
From: Daniel Carosone <dan@geek.com.au>
List: current-users
Date: 01/27/2004 12:37:03
--Zfao1/4IORAeFOVj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Jan 24, 2004 at 08:33:53PM -0800, Wolfgang S. Rupprecht wrote:
> hopefully followed by them reaming Cisco a new one.

Regardless of exactly what your euphemism really refers to, they'd be
the first to succeed, though not to try, over this issue.

Security-conscious corporates work around the problem by using
certificates or one-time-password tokens, whether or not they're
specifically aware of this issue, but other users often don't have the
infrastructure or perceived need, and just want passwords.

Unfortunately, the dangerous configuration is the one naive people
will ask for (regardless of what they might actually need), and what
the salesmen promote as "simplest".

If you want to do interoperable IKE with racoon, cert or PSK auth are
what you want.  I haven't tried the krb styles, but I doubt they're
applicable to your scenario anyway.

--
Dan.
--Zfao1/4IORAeFOVj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAFcC+EAVxvV4N66cRAsDGAJ9aHtfAvIWQk+wzwWlWuM765btp+gCeLapO
9gON1Or4GgYF0VpdfSlgpj4=
=+Kfm
-----END PGP SIGNATURE-----

--Zfao1/4IORAeFOVj--