[strongSwan] ipsec secrets

Tue Dec 11 09:53:43 CET 2012

Hi Jordan,

> Is this expected? Can any one please explain to me whether there is
> dependency between PSK selector and connection leftid/rightid?

The problem is that with IKEv1 in Main Mode, you need the PSK before you
even get the remote identity or could look up an associated
configuration. Therefore, we use the following to get a PSK:

     1. Try to find a PSK by the remote and local IP address. This will
        yield the PSK in your configuration.
     2. If no PSK is found, but we are using aggressive mode or act as
        initiator, we can lookup the PSK using the peer identities.
     3. If no PSK is found, the daemon tries to find a configuration by
        the local and remote IP address, and then uses the
        configurations peer identities to find a PSK.

In practice, using different PSKs for clients without a static IP is
difficult, IKEv1 just doesn't allow that. You could use aggressive mode
where the identity is transferred in plain, but this makes you
vulnerable to dictionary attacks against your PSK.

So the recommendation is: Don't use PSKs for IKEv1 clients not having a
static IP.

Regards
Martin