[Swan-dev] Symmetric vs Asymmetric authentication

Paul Wouters paul at nohats.ca
Fri Jul 24 17:10:09 UTC 2020

On Thu, 23 Jul 2020, Balaji Thoguluva wrote:

> Subject: [Swan-dev] Symmetric vs Asymmetric authentication

> What is the definition of symmetric and asymmetric authentication in the context of Libreswan? 

> If both ends are using the same mode of authentication for example, both use PSK or both use X.509 certificate-based authentication,
> are they considered symmetric authentication?

Yes. That is, you can configure it based on using authby=

The asymmetric ones require you use leftauth= and rightauth= because the
methods are different. The most common one is where the clients
authenticate the server using certificates, but the clients authenticate
to the server using EAP (note libreswan does not yet support EAP)

We also use it to support Opportunistic IPsec on the internet, where
the client (typicall laptop or phone behind NAT) can authenticate
the remote server via a common CA (letsencrypt) or DNSSEC based IPSECKEY
records, while the clients want to remain anonymous and the server
doesn't care who it is protecting and serving for. In this case we
use leftauth=null and rightauth=rsasig on the client configuration.


More information about the Swan-dev mailing list