On Thu, 23 Jul 2020, Balaji Thoguluva wrote:
Subject: [Swan-dev] Symmetric vs Asymmetric authentication
What is the definition of symmetric and asymmetric authentication in the context of Libreswan?
If both ends are using the same mode of authentication for example, both use PSK or both use X.509 certificate-based authentication, are they considered symmetric authentication?
Yes. That is, you can configure it based on using authby= The asymmetric ones require you use leftauth= and rightauth= because the methods are different. The most common one is where the clients authenticate the server using certificates, but the clients authenticate to the server using EAP (note libreswan does not yet support EAP) We also use it to support Opportunistic IPsec on the internet, where the client (typicall laptop or phone behind NAT) can authenticate the remote server via a common CA (letsencrypt) or DNSSEC based IPSECKEY records, while the clients want to remain anonymous and the server doesn't care who it is protecting and serving for. In this case we use leftauth=null and rightauth=rsasig on the client configuration. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
