[strongSwan] IPSec VPN between Cisco ASA and StrongSwan

Martin Willi martin at strongswan.org
Mon Apr 27 12:13:49 CEST 2015

> So what is the added benefit of having two PSKs, since IKEv2 explicitly 
> allows that compared to IKEv1?

While it is allowed in IKEv2, I don't see much benefit from doing that.
RFC 7296 says:

> In particular, the initiator may be using a shared key while the
> responder may have a public signature key and certificate.  It will
> commonly be the case (but it is not required) that, if a shared secret
> is used for authentication, the same key is used in both directions.

So the authentication agility gained in IKEv2 is mostly about methods,
not the shared key itself.

> Since IPSec SAs are undirectional in nature, maybe using two PSKs uses a 
> different PSK in each direction?

No. In IKEv2 the PSK is used for authenticating the peers only. The
IPsec SAs get derived key material, unique in each direction, using any
authentication method.

> In any case, it must be possible to correctly and unambiguously 
> configure that in strongswan, is it not?

PSKs defined for strongSwan are shared between a set of peers. So there
is no real difference between defining one for "peera peerb" and "peerb
peera", as these are the same sets of peers.

Of course one may argue differently and require some kind of precedence
for the "local" peer, but strongSwan does not support that.

What is your intention by defining different PSKs for each peer in the
first place?


More information about the Users mailing list