[Swan] PSK with asymmetric keys
Vukasin Karadzic
vukasin.karadzic at gmail.com
Thu Apr 2 20:50:25 UTC 2020
Dear Rene,
libreswan does not currently support asymmetric PSK authentication. The
ipsec.secret manual page documents that:
"Authentication by preshared secret requires that both systems find the
identical secret".
Regards,
Vukasin
уто, 31. мар 2020. у 13:17 Rene Neumann <rene.neumann at zpesystems.com> је
написао/ла:
> Hello,
>
> We’re trying to configure Libreswan 3.27 with asymmetric PSK auth support
> for IKEv2 tunnels and it would appear that Libreswan is always using authby
> (symmetric) PSK.
>
>
>
> This is what we have in the conf file:
>
>
>
> conn XXX
>
>
>
> #GLOBAL Configuration
>
> #connaddrfamily=ipv4
>
> auto=add
>
> type=tunnel
>
> mtu=1460
>
>
>
> #IKE Configuration
>
> leftauth=secret
>
> rightauth=secret
>
> initial_contact=yes
>
> keyingtries=%forever
>
> keyexchange=ike
>
> nat_keepalive=yes
>
> ike=aes256-sha256;modp1536
>
> ikev2=insist
>
> ikelifetime=60m
>
> remote_peer_type=cisco
>
> fragmentation=yes
>
> dpdaction=hold
>
> dpdtimeout=5m
>
> dpddelay=1
>
> #aggressive=no
>
>
>
> #Phase 2 configuration
>
> pfs=yes
>
> phase2=esp
>
> phase2alg=3des-sha256;modp1536
>
> salifetime=86400s
>
>
>
> #Left configuration
>
> leftid=192.168.100.108
>
> left=192.168.100.108
>
> leftsubnet=192.168.101.0/24
>
>
>
> #Right configuration
>
> rightid=192.168.200.165
>
> right=192.168.200.165
>
> rightsubnet=192.168.204.0/24
>
>
>
> And for the .secrets file:
>
>
>
> 192.168.100.108 : PSK "Spoke_Key"
>
> 192.168.200.165 : PSK "Collector_Key"
>
>
>
> We have gone through a lot of permutations and combinations in the secrets
> file.
>
>
>
> Some advice would be much appreciated.
>
>
> *Rene Neumann*
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200402/4dca29a9/attachment.html>
More information about the Swan
mailing list