
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Verdana, Geneva, sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

Hello,</div>

<div style="font-family: Verdana, Geneva, sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br>

</div>

<div style="font-family: Verdana, Geneva, sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<p><span lang="EN-US">We’re trying to configure Libreswan 3.27 with asymmetric PSK auth support for IKEv2 tunnels and it would appear that Libreswan is always using authby (symmetric) PSK.</span></p>

<p><span lang="EN-US"> </span></p>

<p><span lang="EN-US">This is what we have in the conf file:</span></p>

<p><span lang="EN-US"> </span></p>

<p><span style="font-size:8.0pt" lang="EN-US">conn XXX </span></p>

<p><span style="font-size:8.0pt" lang="EN-US"> </span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        #GLOBAL Configuration</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        #connaddrfamily=ipv4</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        auto=add</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        type=tunnel</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        mtu=1460</span></p>

<p><span style="font-size:8.0pt" lang="EN-US"> </span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        #IKE Configuration</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        leftauth=secret</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        rightauth=secret</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        initial_contact=yes</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        keyingtries=%forever</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        keyexchange=ike</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        nat_keepalive=yes</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        ike=aes256-sha256;modp1536</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        ikev2=insist</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        ikelifetime=60m</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        remote_peer_type=cisco</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        fragmentation=yes</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        dpdaction=hold</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        dpdtimeout=5m</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        dpddelay=1</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        #aggressive=no</span></p>

<p><span style="font-size:8.0pt" lang="EN-US"> </span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        #Phase 2 configuration</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        pfs=yes</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        phase2=esp</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        phase2alg=3des-sha256;modp1536</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        salifetime=86400s</span></p>

<p><span style="font-size:8.0pt" lang="EN-US"> </span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        #Left configuration</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        leftid=192.168.100.108</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        left=192.168.100.108</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        leftsubnet=192.168.101.0/24</span></p>

<p><span style="font-size:8.0pt" lang="EN-US"> </span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        #Right configuration</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        rightid=192.168.200.165</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        right=192.168.200.165</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">        rightsubnet=192.168.204.0/24</span></p>

<p><span lang="EN-US"> </span></p>

<p><span lang="EN-US">And for the .secrets file:</span></p>

<p><span lang="EN-US"> </span></p>

<p><span style="font-size:8.0pt" lang="EN-US">192.168.100.108 : PSK "Spoke_Key"</span></p>

<p><span style="font-size:8.0pt" lang="EN-US">192.168.200.165 : PSK "Collector_Key"</span></p>

<p><span lang="EN-US"> </span></p>

<p><span lang="EN-US">We have gone through a lot of permutations and combinations in the secrets file.</span></p>

<p><span lang="EN-US"> </span></p>

<p><span lang="EN-US">Some advice would be much appreciated.</span></p>

<br>

</div>

<div>

<div style="font-family: Verdana, Geneva, sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div></div>

<div></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<p style="margin:0cm 0cm 0.0001pt; font-size:12pt; font-family:Calibri,sans-serif">

<a style=""><b><span style="font-size: 10pt; font-family: "Source Sans Pro"; color: rgb(11, 171, 198);">Rene Neumann</span></b></a><span style=""><span style="font-size: 10pt; font-family: "Source Sans Pro"; color: rgb(96, 109, 117);"><br>

</span></span></p>

<br>

</div>

</div>

</div>

</body>

</html>