Subject: Re: Cisco VPN interop
To: Wolfgang S. Rupprecht <wolfgang+gnus20040124T201156@dailyplanet.dontspam.wsrcc.com>
From: Daniel Carosone <firstname.lastname@example.org>
Date: 01/27/2004 12:37:03
Content-Type: text/plain; charset=us-ascii
On Sat, Jan 24, 2004 at 08:33:53PM -0800, Wolfgang S. Rupprecht wrote:
> hopefully followed by them reaming Cisco a new one.
Regardless of exactly what your euphemism really refers to, they'd be
the first to succeed, though not to try, over this issue.
Security-conscious corporates work around the problem by using
certificates or one-time-password tokens, whether or not they're
specifically aware of this issue, but other users often don't have the
infrastructure or perceived need, and just want passwords.
Unfortunately, the dangerous configuration is the one naive people
will ask for (regardless of what they might actually need), and what
the salesmen promote as "simplest".
If you want to do interoperable IKE with racoon, cert or PSK auth are
what you want. I haven't tried the krb styles, but I doubt they're
applicable to your scenario anyway.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----