[Swan] PSK with asymmetric keys
Vukasin Karadzic
vukasin.karadzic at gmail.com
Thu Apr 2 20:54:38 UTC 2020
A correction: ipsec.secrets is the name of man page, not ipsec.secret
чет, 2. апр 2020. у 22:50 Vukasin Karadzic <vukasin.karadzic at gmail.com> је
написао/ла:
> Dear Rene,
>
> libreswan does not currently support asymmetric PSK authentication. The
> ipsec.secret manual page documents that:
> "Authentication by preshared secret requires that both systems find the
> identical secret".
>
> Regards,
> Vukasin
>
> уто, 31. мар 2020. у 13:17 Rene Neumann <rene.neumann at zpesystems.com> је
> написао/ла:
>
>> Hello,
>>
>> We’re trying to configure Libreswan 3.27 with asymmetric PSK auth support
>> for IKEv2 tunnels and it would appear that Libreswan is always using authby
>> (symmetric) PSK.
>>
>>
>>
>> This is what we have in the conf file:
>>
>>
>>
>> conn XXX
>>
>>
>>
>> #GLOBAL Configuration
>>
>> #connaddrfamily=ipv4
>>
>> auto=add
>>
>> type=tunnel
>>
>> mtu=1460
>>
>>
>>
>> #IKE Configuration
>>
>> leftauth=secret
>>
>> rightauth=secret
>>
>> initial_contact=yes
>>
>> keyingtries=%forever
>>
>> keyexchange=ike
>>
>> nat_keepalive=yes
>>
>> ike=aes256-sha256;modp1536
>>
>> ikev2=insist
>>
>> ikelifetime=60m
>>
>> remote_peer_type=cisco
>>
>> fragmentation=yes
>>
>> dpdaction=hold
>>
>> dpdtimeout=5m
>>
>> dpddelay=1
>>
>> #aggressive=no
>>
>>
>>
>> #Phase 2 configuration
>>
>> pfs=yes
>>
>> phase2=esp
>>
>> phase2alg=3des-sha256;modp1536
>>
>> salifetime=86400s
>>
>>
>>
>> #Left configuration
>>
>> leftid=192.168.100.108
>>
>> left=192.168.100.108
>>
>> leftsubnet=192.168.101.0/24
>>
>>
>>
>> #Right configuration
>>
>> rightid=192.168.200.165
>>
>> right=192.168.200.165
>>
>> rightsubnet=192.168.204.0/24
>>
>>
>>
>> And for the .secrets file:
>>
>>
>>
>> 192.168.100.108 : PSK "Spoke_Key"
>>
>> 192.168.200.165 : PSK "Collector_Key"
>>
>>
>>
>> We have gone through a lot of permutations and combinations in the
>> secrets file.
>>
>>
>>
>> Some advice would be much appreciated.
>>
>>
>> *Rene Neumann*
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200402/5fe785aa/attachment.html>
More information about the Swan
mailing list