[strongSwan] IPSec VPN between Cisco ASA and StrongSwan
Martin Willi
martin at strongswan.org
Mon Apr 27 09:10:07 CEST 2015
Hi,
> It seems to me (I found some hints but no real doc) that you have to
> specify the direction like this:
>
> lefthost righthost : PSK rightpsk
> righthost lefthost : PSK leftpsk
This can work, but I don't think that it must in all cases. The lookup
function for shared keys takes the two peer identities. Then each
identity is matched against each configured PSK identity. So the "match
quality" for the lookup will be the same.
strongSwan does not really use the concept of "local" or "remote" keys.
As the name implies, it is a shared key between two entities. Using a
different PSK for each end is possible in IKEv2, but I don't think that
there is much benefit from doing so. Each peer has two know each secret
anyway.
It also falsely implies that a peer "owns" that secret for
authentication; but as all partners must know that secret, they can use
that secret to impersonate that peer. IMHO it is better to use a single
distinct secret for each pair of peers, or each tunnel. And of course if
it should scale to many peers, public keys are preferable, where each
peer effectively "owns" its private key.
Regards
Martin
More information about the Users
mailing list