[strongSwan] Multiple PSK for same connection...

Martin Willi martin at strongswan.org
Wed Jul 10 09:13:09 CEST 2013

Hi Dan,

> Is it possible to have different secret/private keys and have two matches?
> Will Strongswan try the other if the first fails?

Any trusted/matching certificates is used to verify a public key
signature, until the signature could be verified. This applies to both
IKEv1 and IKEv2.

For PSK authentication, IKEv2 tries to verify the AUTH payload with any
matching PSK. However, this currently does not apply to IKEv1: IKEv1
uses the PSK for encryption/integrity protection of IKE messages; it
would be quite difficult to redo the whole key derivation process with
multiple PSKs.

> Will StrongSwan reload the keys on a "ipsec reload" command?

No, "ipsec rereadsecrets" reloads "ipsec.secrets".


More information about the Users mailing list