[Swan] regarding PSK lookup in secrets file and the Peer ID

David Mansfield swan at dm.cobite.com
Wed Mar 4 18:28:50 EET 2015


Hi All,

I'm fairly new to libreswan and I have a working tunnel where I control 
both ends, both ends are libreswan.  I'm about to set up a tunnel with a 
partner and I'm looking to understand how secrets are matched against 
indices in the secret file for PSK.

According to the man page:

    An additional complexity arises in the case of authentication by
    preshared secret: the responder will need to look up the secret
    before the Peer´s ID payload has been decoded, so the ID used
    will be the IP address.

However, in my test tunnel, the secret is not found unless I use the 
"id" I have specified in leftid/rightid, and not by using the IP 
address.  My Id are defined like:

  leftid=@somename.mydomain.com
  rightid=@othername.mydomain.com

And my secrets file has to have:

  @somename.mydomain.com @othername.mydomain.com: PSK "blahblahblah"

in order to work. It doesn't work with the IP addresses.

Also, in reading about "id" it seems a large area of configuration pain. 
In my case, it looks like the partner will be deriving the ID from IP 
and Netmask. Are they expecting my id to be "a.b.c.d/nnn"? I think the 
default (ie. omitting the leftid) would just be "a.b.c.d", no?

Is there any way to determine what the Peer ID is without being told 
explicitly by their system administrator (ie. is a peer id completely 
arbitrary based on the ipsec implementation used and configuration on 
the remote end?)

-- 
Thanks,
David Mansfield
Cobite, INC.


More information about the Swan mailing list