From: stephen@dino.dnsalias.com   
      
   pvsnmp@yahoo.com writes:   
   >>Of course if the responder shares the same pre-shared key with   
   >>multiple initiators then the responder has no way of knowing which   
   >>initiator it actually is.  That's why it isn't a good idea to share   
   >>the pre-shared key with more than one peer :-)   
   >   
   > Why can't the responder look at the IP header?? Also, there are cookies   
   > to differentiate the messages.   
      
   The responder can look at the cookies and/or IP address to to   
   determine that two different packets belong to different phase1/phase2   
   but neither the IP address or cookies *authenticate* the initiator.   
   That is, the responder can tell it has two connections , but not who   
   those connections are from except to know that the connections are   
   from one or more people that have access to the pre-shared key.   
   Sometimes that's enough (e.g. you are just providing access to some   
   service that all users can use) and sometimes it is not   
   (e.g. different users are allowed access to different services).   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)