[Swan] PSK with asymmetric keys

Vukasin Karadzic vukasin.karadzic at gmail.com
Thu Apr 2 20:54:38 UTC 2020 

A correction: ipsec.secrets is the name of man page, not ipsec.secret

чет, 2. апр 2020. у 22:50 Vukasin Karadzic <vukasin.karadzic at gmail.com> је
написао/ла:

> Dear Rene,
>
> libreswan does not currently support asymmetric PSK authentication. The
> ipsec.secret manual page documents that:
> "Authentication by preshared secret requires that both systems find the
> identical secret".
>
> Regards,
> Vukasin
>
> уто, 31. мар 2020. у 13:17 Rene Neumann <rene.neumann at zpesystems.com> је
> написао/ла:
>
>> Hello,
>>
>> We’re trying to configure Libreswan 3.27 with asymmetric PSK auth support
>> for IKEv2 tunnels and it would appear that Libreswan is always using authby
>> (symmetric) PSK.
>>
>>
>>
>> This is what we have in the conf file:
>>
>>
>>
>> conn XXX
>>
>>
>>
>>         #GLOBAL Configuration
>>
>>         #connaddrfamily=ipv4
>>
>>         auto=add
>>
>>         type=tunnel
>>
>>         mtu=1460
>>
>>
>>
>>         #IKE Configuration
>>
>>         leftauth=secret
>>
>>         rightauth=secret
>>
>>         initial_contact=yes
>>
>>         keyingtries=%forever
>>
>>         keyexchange=ike
>>
>>         nat_keepalive=yes
>>
>>         ike=aes256-sha256;modp1536
>>
>>         ikev2=insist
>>
>>         ikelifetime=60m
>>
>>         remote_peer_type=cisco
>>
>>         fragmentation=yes
>>
>>         dpdaction=hold
>>
>>         dpdtimeout=5m
>>
>>         dpddelay=1
>>
>>         #aggressive=no
>>
>>
>>
>>         #Phase 2 configuration
>>
>>         pfs=yes
>>
>>         phase2=esp
>>
>>         phase2alg=3des-sha256;modp1536
>>
>>         salifetime=86400s
>>
>>
>>
>>         #Left configuration
>>
>>         leftid=192.168.100.108
>>
>>         left=192.168.100.108
>>
>>         leftsubnet=192.168.101.0/24
>>
>>
>>
>>         #Right configuration
>>
>>         rightid=192.168.200.165
>>
>>         right=192.168.200.165
>>
>>         rightsubnet=192.168.204.0/24
>>
>>
>>
>> And for the .secrets file:
>>
>>
>>
>> 192.168.100.108 : PSK "Spoke_Key"
>>
>> 192.168.200.165 : PSK "Collector_Key"
>>
>>
>>
>> We have gone through a lot of permutations and combinations in the
>> secrets file.
>>
>>
>>
>> Some advice would be much appreciated.
>>
>>
>> *Rene Neumann*
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200402/5fe785aa/attachment.html>

More information about the Swan mailing list