[strongSwan] constraint check failed on different auth methods of sides

Volodymyr Litovka doka.ua at gmx.com
Tue Oct 13 15:46:26 CEST 2020

Hi colleagues,

the question is for those, who remember history of changes in strongSwan :-)

I'm using the exactly same configuration on two Openwrt devices (one
equipped with 5.8.2, another one - with 5.6.2) and while it work with
latter, it don't with old one. Configuration is below, the message is:

15[CFG] <rc|28> constraint requires pre-shared key authentication, but
public key was used
15[CFG] <rc|28> selected peer config 'rc' inacceptable: constraint
checking failed

when I'm trying to use different auth methods on both sides: PSK on left
side and pubkey on right side. Is this functionality - different methods
of mutual authentication - was introduced somewhere in between of 5.6.2
and 5.8.2?

Client's configuration (which, again, works with 5.8.2 and doesn't with
5.6.2) is:

conn rc
         keyexchange = ikev2
         [ ... ]
         # we are
         left = %defaultroute
         leftauth = psk
         leftid = gagarin
         leftsubnet =
         leftupdown = /etc/ipsec.updown
         # server
         right = x.x.x.x
         rightauth = pubkey
         rightid = f.q.d.n
         rightsubnet =

Thank you

Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201013/d83ae3c3/attachment.html>

More information about the Users mailing list