[strongSwan] PSK_with_ideal_keys, charon_crashes_with_8m_keylife_?

Martin Willi martin at strongswan.org
Mon Mar 21 16:12:52 CET 2011

Hi Nikos,

> How could I take advantage of the "given ideal keys" ?
> Is it possible to use the DH derived keys as an index to the pool of
> those "ideal keys"?

The IKEv2 protocol uses the DH exchange as a base to derive the
cryptographic keys. With PSK authentication, the PSKs are not part of
the key derivation, but only used for peer authentication.

So at least an IKEv2 compatible implementation can't use the PSK keys
directly to derive key material from. You could set up your SAs manually
using these keys, or feed in your "ideal" key material to the DH
exchange. Depends on what you actually want to achieve.

> charon: 08[DMN] thread 10 received 11
> charon: 08[DMN] killing ourself, received critical signal

If you can verify this crash with our latest release, a GDB backtrace
would be helpful to analyze the issue (use ipsec start --attach-gdb).


More information about the Users mailing list