On Thu, 10 Dec 2020, John Serink wrote:
Further to this, I since searched the email lists and found that libreswan does NOT support asymmetric PSK keys. That is "very" disappointing since the ikev2 RFC supports this.
Can you explain what the advantage is of basically using 2 PSKs instead of 1 per connection? As they both need to be shared to the same devices, so a compromise of one PSK would compromise the second PSK ?
Any possibility of getting this added? Asymmetric keys are a step up from using a common key for all remote hosts.
That is not what this means. You can already have one PSK per connection, so that you are giving each local-remote host its own PSK to use. Let's say you have host east, west and north. You can have ipsec.secrets like: @east @west : PSK "secret-for-east-west" @east @north : PSK "anothersecret-for-east-north" @west @north : PSK "yetanothersecret-for-west-north" Where you would only add the lines containing @east on east, @west on west, @north on north, etc. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
