[strongSwan] Configuring asymmetric PSK's?

Noel Kuntze noel at familie-kuntze.de
Tue Jul 7 21:25:45 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Ryan,
Asymettric PSKs are not supported
and completely useless, as they're shared.
Both sides know them.
Using different keys on either side gains no security whatsoever.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 07.07.2015 um 21:23 schrieb Ruel, Ryan:
> I am trying to configure a connection where I use an FQDN identifier for my local ID, and an e-mail address for the remote identifier.
>
> Both use the same domain name.
>
> I have set a secret for each in ipsec.secrets, which I would like to be asymmetric. 
>
> What I find, however, is that strongSwan is using "abc123" for both keys.  I can verify this with a Cisco CSR by setting the local and remote pre-shared key to abc123, and the connection comes up.
>
> Is there a way to do this?
>
> /Ryan
>
> ipsec.secrets:
> @foo.bar.com : PSK 123abc
> user1 at foo.bar.com : PSK abc123
>
> ipsec.conf:
> conn test
>         auto=add
>         authby=secret
>         leftid="foo.bar.com"
>         right=%any
>         rightid="*foo.bar.com"
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVnCe2AAoJEDg5KY9j7GZYyKAP/A9pqEfJtplohCuROjQNyVFX
1OjhxpCf5rJxB7CN4UJ01pW3RFF84ynof5ogbp8rExRj4JsXnx7KctAD+R1mYqHt
vOk1B+ykUbejKkwJlovCtmuzrU7aCWItf9yrNKI2VWfSO0+Q84GS6yrxE/ZiYR8t
GYkA1ZZpV4GMNXUTY4TcQPT8aBlYoE7AQjlxdlqi37RoKwk8wuD9+GdDhw1HekVX
CYb8dur4EZCZtfqZgowOMJBUjB0k1RawLVHszEiNAOp7S2Iu1nq8A31zEQV5/mF4
AjXmLPHvNMf64R6tVvMa7y1c9ZVYx+4y0laVRGgwZSzwdWrVfqTcGERAeKTIPq38
IuZVkpbTTXUWLxVupM1HfJPNjINerxS6MnCYUYhxygAh/N4d8qNDsNlEu5JMU1Z/
X2eS1ooamw2Oow/iL63REiNGjzIEnq6w7u4mSi5aAbz5YWRm4gall7Nm0QRFlkPt
2cERaFla+8u7ikLOIqA5eNI0tEFbmwuQSy3yOo7BA66sFWt3new7MbyYxYFf59M6
9Oz8WSQabXvMszXXs0eSVw4DIomIjfEInTJX3qE9mpjg5+l9eD/ir8oM3ooUp8UM
9P474b5CMaNulHe33YLprjZr7O9mliqiwXevH+kA/npQaf5Or+sSL0rSVtsf6bre
UfIJ3CtS7Dhl7rv2+Dt7
=o39j
-----END PGP SIGNATURE-----

More information about the Users mailing list