[Swan] Libreswan to Cisco IOS
Paul Wouters
paul at nohats.ca
Thu Dec 10 17:48:00 UTC 2020
On Thu, 10 Dec 2020, John Serink wrote:
> Further to this, I since searched the email lists and found that libreswan does NOT support asymmetric PSK keys. That is
> "very" disappointing since the ikev2 RFC supports this.
Can you explain what the advantage is of basically using 2 PSKs instead
of 1 per connection? As they both need to be shared to the same
devices, so a compromise of one PSK would compromise the second PSK ?
> Any possibility of getting this added?
> Asymmetric keys are a step up from using a common key for all remote hosts.
That is not what this means. You can already have one PSK per
connection, so that you are giving each local-remote host its own PSK
to use.
Let's say you have host east, west and north.
You can have ipsec.secrets like:
@east @west : PSK "secret-for-east-west"
@east @north : PSK "anothersecret-for-east-north"
@west @north : PSK "yetanothersecret-for-west-north"
Where you would only add the lines containing @east on east, @west on
west, @north on north, etc.
Paul
More information about the Swan
mailing list