[Swan] PSK with asymmetric keys

Paul Wouters paul at nohats.ca
Fri Apr 10 01:38:13 UTC 2020


On Thu, 2 Apr 2020, Vukasin Karadzic wrote:

[ bouncing to swan-dev ]

> libreswan does not currently support asymmetric PSK authentication. The ipsec.secret manual page documents that:
> "Authentication by preshared secret requires that both systems find the identical secret".

Indeed, it does not.

The issue is how we would configure this. Currently, we lookup the
secret matching a line that contains both the leftid and rightid.
This is so you can have different secrets with different partners,
like:

@gateway @customer1: PSK "secret1"
@gateway @customer2: PSK "othersecret1"

But how would we specify that for customer1, we want our PSK to be "foo"
and their PSK to be "secret1". And for customer2 to want our PSK to be
"bar" and their PSK to be "othersecret1".


I guess the answer as to why we don't support it is based on this
problem, but also on the fact that you actually gain nothing by
using two different PSK's over one PSK. Both ends need to know
and configure it, so if one secret is lost, both are lost.

Is this something we should work on ?

Paul


More information about the Swan mailing list