From: stephen@dino.dnsalias.com   
      
   pvsnmp@yahoo.com writes:   
   >>I don't know what else you want to do and so what is required.   
   > What I meant was that when we have the hash computed using HMAC which   
   > can be (is) used to authenticate the peers, why do you need an explicit   
   > pair of messages with the IP Address of peers in it, as in the 3rd pair   
   > of messages.   
      
   In the case it is an IP address it isn't much use.  The best that can   
   be done is to optionally check it matches the IP address on the IKE   
   packet but even that fails in the presence of NAT.   
      
   However, the IDii does not have to be an IP address.  It could be a   
   FQDN or an opaque key.  Either of these can be used to pass down a   
   value that is known only to the initiator and responder.  Obviously   
   using a FQDN name like "stephen@dino.dnsalias.com" would be easy to   
   guess but if instead it was a string like "stephen/*WQ732HG" where   
   "stephen" is the user-name and "*WQ732HG" is another shared secret   
   then this can be used to provide identity protection (stephen) and   
   provide a way to use main-mode with a (group) pre-shared key but still   
   providing per-user authentication.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)