[strongSwan] Configuring asymmetric PSK's?

Ruel, Ryan rruel at akamai.com
Tue Jul 7 21:29:12 CEST 2015

That is a good point :)

Is using a certificate for the responder and a PSK for the initiator


On 7/7/15, 3:25 PM, "Noel Kuntze" <noel at familie-kuntze.de> wrote:

>Hash: SHA256
>Hello Ryan,
>Asymettric PSKs are not supported
>and completely useless, as they're shared.
>Both sides know them.
>Using different keys on either side gains no security whatsoever.
>Mit freundlichen Grüßen/Kind Regards,
>Noel Kuntze
>GPG Key ID: 0x63EC6658
>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>Am 07.07.2015 um 21:23 schrieb Ruel, Ryan:
>> I am trying to configure a connection where I use an FQDN identifier
>>for my local ID, and an e-mail address for the remote identifier.
>> Both use the same domain name.
>> I have set a secret for each in ipsec.secrets, which I would like to be
>> What I find, however, is that strongSwan is using "abc123" for both
>>keys.  I can verify this with a Cisco CSR by setting the local and
>>remote pre-shared key to abc123, and the connection comes up.
>> Is there a way to do this?
>> /Ryan
>> ipsec.secrets:
>> @foo.bar.com : PSK 123abc
>> user1 at foo.bar.com : PSK abc123
>> ipsec.conf:
>> conn test
>>         auto=add
>>         authby=secret
>>         leftid="foo.bar.com"
>>         right=%any
>>         rightid="*foo.bar.com"
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>Version: GnuPG v2

More information about the Users mailing list