<div dir="ltr"><div>Dear Rene,</div><div><br></div><div>libreswan does not currently support asymmetric PSK authentication. The ipsec.secret manual page documents that:</div><div>"Authentication by preshared secret requires that both systems find the identical secret".</div><div><br></div><div>Regards,</div><div>Vukasin<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">уто, 31. мар 2020. у 13:17 Rene Neumann <<a href="mailto:rene.neumann@zpesystems.com">rene.neumann@zpesystems.com</a>> је написао/ла:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Verdana,Geneva,sans-serif;font-size:10pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hello,</div>
<div style="font-family:Verdana,Geneva,sans-serif;font-size:10pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Verdana,Geneva,sans-serif;font-size:10pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<p><span lang="EN-US">We’re trying to configure Libreswan 3.27 with asymmetric PSK auth support for IKEv2 tunnels and it would appear that Libreswan is always using authby (symmetric) PSK.</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">This is what we have in the conf file:</span></p>
<p><span lang="EN-US"> </span></p>
<p><span style="font-size:8pt" lang="EN-US">conn XXX </span></p>
<p><span style="font-size:8pt" lang="EN-US"> </span></p>
<p><span style="font-size:8pt" lang="EN-US"> #GLOBAL Configuration</span></p>
<p><span style="font-size:8pt" lang="EN-US"> #connaddrfamily=ipv4</span></p>
<p><span style="font-size:8pt" lang="EN-US"> auto=add</span></p>
<p><span style="font-size:8pt" lang="EN-US"> type=tunnel</span></p>
<p><span style="font-size:8pt" lang="EN-US"> mtu=1460</span></p>
<p><span style="font-size:8pt" lang="EN-US"> </span></p>
<p><span style="font-size:8pt" lang="EN-US"> #IKE Configuration</span></p>
<p><span style="font-size:8pt" lang="EN-US"> leftauth=secret</span></p>
<p><span style="font-size:8pt" lang="EN-US"> rightauth=secret</span></p>
<p><span style="font-size:8pt" lang="EN-US"> initial_contact=yes</span></p>
<p><span style="font-size:8pt" lang="EN-US"> keyingtries=%forever</span></p>
<p><span style="font-size:8pt" lang="EN-US"> keyexchange=ike</span></p>
<p><span style="font-size:8pt" lang="EN-US"> nat_keepalive=yes</span></p>
<p><span style="font-size:8pt" lang="EN-US"> ike=aes256-sha256;modp1536</span></p>
<p><span style="font-size:8pt" lang="EN-US"> ikev2=insist</span></p>
<p><span style="font-size:8pt" lang="EN-US"> ikelifetime=60m</span></p>
<p><span style="font-size:8pt" lang="EN-US"> remote_peer_type=cisco</span></p>
<p><span style="font-size:8pt" lang="EN-US"> fragmentation=yes</span></p>
<p><span style="font-size:8pt" lang="EN-US"> dpdaction=hold</span></p>
<p><span style="font-size:8pt" lang="EN-US"> dpdtimeout=5m</span></p>
<p><span style="font-size:8pt" lang="EN-US"> dpddelay=1</span></p>
<p><span style="font-size:8pt" lang="EN-US"> #aggressive=no</span></p>
<p><span style="font-size:8pt" lang="EN-US"> </span></p>
<p><span style="font-size:8pt" lang="EN-US"> #Phase 2 configuration</span></p>
<p><span style="font-size:8pt" lang="EN-US"> pfs=yes</span></p>
<p><span style="font-size:8pt" lang="EN-US"> phase2=esp</span></p>
<p><span style="font-size:8pt" lang="EN-US"> phase2alg=3des-sha256;modp1536</span></p>
<p><span style="font-size:8pt" lang="EN-US"> salifetime=86400s</span></p>
<p><span style="font-size:8pt" lang="EN-US"> </span></p>
<p><span style="font-size:8pt" lang="EN-US"> #Left configuration</span></p>
<p><span style="font-size:8pt" lang="EN-US"> leftid=192.168.100.108</span></p>
<p><span style="font-size:8pt" lang="EN-US"> left=192.168.100.108</span></p>
<p><span style="font-size:8pt" lang="EN-US"> leftsubnet=<a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a></span></p>
<p><span style="font-size:8pt" lang="EN-US"> </span></p>
<p><span style="font-size:8pt" lang="EN-US"> #Right configuration</span></p>
<p><span style="font-size:8pt" lang="EN-US"> rightid=192.168.200.165</span></p>
<p><span style="font-size:8pt" lang="EN-US"> right=192.168.200.165</span></p>
<p><span style="font-size:8pt" lang="EN-US"> rightsubnet=<a href="http://192.168.204.0/24" target="_blank">192.168.204.0/24</a></span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">And for the .secrets file:</span></p>
<p><span lang="EN-US"> </span></p>
<p><span style="font-size:8pt" lang="EN-US">192.168.100.108 : PSK "Spoke_Key"</span></p>
<p><span style="font-size:8pt" lang="EN-US">192.168.200.165 : PSK "Collector_Key"</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">We have gone through a lot of permutations and combinations in the secrets file.</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">Some advice would be much appreciated.</span></p>
<br>
</div>
<div>
<div style="font-family:Verdana,Geneva,sans-serif;font-size:10pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_-2296168461250925497Signature">
<div></div>
<div></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif">
<a><b><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(11,171,198)">Rene Neumann</span></b></a><span><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(96,109,117)"><br>
</span></span></p>
<br>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
</blockquote></div>