[Swan] PSK with asymmetric keys

[Rene Neumann]

Hi Vukasin,

Thank you for the information. We went through the ipsec.conf man file up and down and found a few hints that it might have been possible. We must have overlooked the entry in the ipsec.secrets man page.

Stay safe and have a great weekend.

Rene Neumann

<https://www.zpesystems.com/demo/>
________________________________
From: Vukasin Karadzic <vukasin.karadzic at gmail.com>
Sent: Thursday 2 April 2020 21:54
To: Rene Neumann <rene.neumann at zpesystems.com>
Cc: swan at lists.libreswan.org <swan at lists.libreswan.org>
Subject: Re: [Swan] PSK with asymmetric keys

A correction: ipsec.secrets is the name of man page, not ipsec.secret

чет, 2. апр 2020. у 22:50 Vukasin Karadzic <vukasin.karadzic at gmail.com<mailto:vukasin.karadzic at gmail.com>> је написао/ла:
Dear Rene,

libreswan does not currently support asymmetric PSK authentication. The ipsec.secret manual page documents that:
"Authentication by preshared secret requires that both systems find the identical secret".

Regards,
Vukasin

уто, 31. мар 2020. у 13:17 Rene Neumann <rene.neumann at zpesystems.com<mailto:rene.neumann at zpesystems.com>> је написао/ла:
Hello,


We’re trying to configure Libreswan 3.27 with asymmetric PSK auth support for IKEv2 tunnels and it would appear that Libreswan is always using authby (symmetric) PSK.



This is what we have in the conf file:



conn XXX



        #GLOBAL Configuration

        #connaddrfamily=ipv4

        auto=add

        type=tunnel

        mtu=1460



        #IKE Configuration

        leftauth=secret

        rightauth=secret

        initial_contact=yes

        keyingtries=%forever

        keyexchange=ike

        nat_keepalive=yes

        ike=aes256-sha256;modp1536

        ikev2=insist

        ikelifetime=60m

        remote_peer_type=cisco

        fragmentation=yes

        dpdaction=hold

        dpdtimeout=5m

        dpddelay=1

        #aggressive=no



        #Phase 2 configuration

        pfs=yes

        phase2=esp

        phase2alg=3des-sha256;modp1536

        salifetime=86400s



        #Left configuration

        leftid=192.168.100.108

        left=192.168.100.108

        leftsubnet=192.168.101.0/24<http://192.168.101.0/24>



        #Right configuration

        rightid=192.168.200.165

        right=192.168.200.165

        rightsubnet=192.168.204.0/24<http://192.168.204.0/24>



And for the .secrets file:



192.168.100.108 : PSK "Spoke_Key"

192.168.200.165 : PSK "Collector_Key"



We have gone through a lot of permutations and combinations in the secrets file.



Some advice would be much appreciated.



Rene Neumann

_______________________________________________
Swan mailing list
Swan at lists.libreswan.org<mailto:Swan at lists.libreswan.org>
https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200403/ac34c6e3/attachment-0001.html>