[Swan] PSK with asymmetric keys

Vukasin Karadzic vukasin.karadzic at gmail.com
Thu Apr 2 20:50:25 UTC 2020 

Dear Rene,

libreswan does not currently support asymmetric PSK authentication. The
ipsec.secret manual page documents that:
"Authentication by preshared secret requires that both systems find the
identical secret".

Regards,
Vukasin

уто, 31. мар 2020. у 13:17 Rene Neumann <rene.neumann at zpesystems.com> је
написао/ла:

> Hello,
>
> We’re trying to configure Libreswan 3.27 with asymmetric PSK auth support
> for IKEv2 tunnels and it would appear that Libreswan is always using authby
> (symmetric) PSK.
>
>
>
> This is what we have in the conf file:
>
>
>
> conn XXX
>
>
>
>         #GLOBAL Configuration
>
>         #connaddrfamily=ipv4
>
>         auto=add
>
>         type=tunnel
>
>         mtu=1460
>
>
>
>         #IKE Configuration
>
>         leftauth=secret
>
>         rightauth=secret
>
>         initial_contact=yes
>
>         keyingtries=%forever
>
>         keyexchange=ike
>
>         nat_keepalive=yes
>
>         ike=aes256-sha256;modp1536
>
>         ikev2=insist
>
>         ikelifetime=60m
>
>         remote_peer_type=cisco
>
>         fragmentation=yes
>
>         dpdaction=hold
>
>         dpdtimeout=5m
>
>         dpddelay=1
>
>         #aggressive=no
>
>
>
>         #Phase 2 configuration
>
>         pfs=yes
>
>         phase2=esp
>
>         phase2alg=3des-sha256;modp1536
>
>         salifetime=86400s
>
>
>
>         #Left configuration
>
>         leftid=192.168.100.108
>
>         left=192.168.100.108
>
>         leftsubnet=192.168.101.0/24
>
>
>
>         #Right configuration
>
>         rightid=192.168.200.165
>
>         right=192.168.200.165
>
>         rightsubnet=192.168.204.0/24
>
>
>
> And for the .secrets file:
>
>
>
> 192.168.100.108 : PSK "Spoke_Key"
>
> 192.168.200.165 : PSK "Collector_Key"
>
>
>
> We have gone through a lot of permutations and combinations in the secrets
> file.
>
>
>
> Some advice would be much appreciated.
>
>
> *Rene Neumann*
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200402/4dca29a9/attachment.html>

More information about the Swan mailing list