[strongSwan] Configuring asymmetric PSK's?

Ruel, Ryan rruel at akamai.com
Tue Jul 7 21:29:12 CEST 2015


That is a good point :)

Is using a certificate for the responder and a PSK for the initiator
supported?


/Ryan

On 7/7/15, 3:25 PM, "Noel Kuntze" <noel at familie-kuntze.de> wrote:

>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hello Ryan,
>Asymettric PSKs are not supported
>and completely useless, as they're shared.
>Both sides know them.
>Using different keys on either side gains no security whatsoever.
>
>Mit freundlichen Grüßen/Kind Regards,
>Noel Kuntze
>
>GPG Key ID: 0x63EC6658
>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>Am 07.07.2015 um 21:23 schrieb Ruel, Ryan:
>> I am trying to configure a connection where I use an FQDN identifier
>>for my local ID, and an e-mail address for the remote identifier.
>>
>> Both use the same domain name.
>>
>> I have set a secret for each in ipsec.secrets, which I would like to be
>>asymmetric. 
>>
>> What I find, however, is that strongSwan is using "abc123" for both
>>keys.  I can verify this with a Cisco CSR by setting the local and
>>remote pre-shared key to abc123, and the connection comes up.
>>
>> Is there a way to do this?
>>
>> /Ryan
>>
>> ipsec.secrets:
>> @foo.bar.com : PSK 123abc
>> user1 at foo.bar.com : PSK abc123
>>
>> ipsec.conf:
>> conn test
>>         auto=add
>>         authby=secret
>>         leftid="foo.bar.com"
>>         right=%any
>>         rightid="*foo.bar.com"
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>
>iQIcBAEBCAAGBQJVnCe2AAoJEDg5KY9j7GZYyKAP/A9pqEfJtplohCuROjQNyVFX
>1OjhxpCf5rJxB7CN4UJ01pW3RFF84ynof5ogbp8rExRj4JsXnx7KctAD+R1mYqHt
>vOk1B+ykUbejKkwJlovCtmuzrU7aCWItf9yrNKI2VWfSO0+Q84GS6yrxE/ZiYR8t
>GYkA1ZZpV4GMNXUTY4TcQPT8aBlYoE7AQjlxdlqi37RoKwk8wuD9+GdDhw1HekVX
>CYb8dur4EZCZtfqZgowOMJBUjB0k1RawLVHszEiNAOp7S2Iu1nq8A31zEQV5/mF4
>AjXmLPHvNMf64R6tVvMa7y1c9ZVYx+4y0laVRGgwZSzwdWrVfqTcGERAeKTIPq38
>IuZVkpbTTXUWLxVupM1HfJPNjINerxS6MnCYUYhxygAh/N4d8qNDsNlEu5JMU1Z/
>X2eS1ooamw2Oow/iL63REiNGjzIEnq6w7u4mSi5aAbz5YWRm4gall7Nm0QRFlkPt
>2cERaFla+8u7ikLOIqA5eNI0tEFbmwuQSy3yOo7BA66sFWt3new7MbyYxYFf59M6
>9Oz8WSQabXvMszXXs0eSVw4DIomIjfEInTJX3qE9mpjg5+l9eD/ir8oM3ooUp8UM
>9P474b5CMaNulHe33YLprjZr7O9mliqiwXevH+kA/npQaf5Or+sSL0rSVtsf6bre
>UfIJ3CtS7Dhl7rv2+Dt7
>=o39j
>-----END PGP SIGNATURE-----
>



More information about the Users mailing list