Skip to content

ipsec: add some authentication documentation #885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
swhite2 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ipsec: add some authentication documentation #885

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions source/manual/vpnet.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,64 @@ The advantage of this type of setup is one can use standard or advanced routing
for the start action.


.................................
Authentication
.................................

In IPsec, authentication happens during the IKE negotiation phase, before encrypted traffic is allowed through
the tunnel. Each side proves its identity using one or more configured authentication methods, such as a
pre-shared key, certificate/private key, EAP method, Xauth or RADIUS-backed authentication.

A connection can define multiple local and remote authentication entries. This allows one connection to
use a simple one-step authentication, such as PSK or public key, or multi-step authentication, such as
public key plus EAP or XAuth. StrongSwan supports multiple authentication rounds for IKEv2 and XAuth-style
authentication for IKEv1.

**Local authentication** defines how this sytem authenticates itself to the peer.

**Remote authentication** defines how the peer is expected to authenticate itself to this system.

Each authentication entry has an ID, the ID is important because it is the identity presented or expected
during IKE authentication. It is also used to select matching credentials, such as pre-shared keys or public keys.
Copy link
Copy Markdown
Member

@AdSchellevis AdSchellevis May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the help text/swanctl documentation:

IKE identity to use for authentication round. When using certificate authentication the IKE identity must be contained in the certificate; either as the subject DN or as a subjectAltName (the identity will default to the certificate’s subject DN if not specified). Refer to https://docs.strongswan.org/docs/5.9/config/identityParsing.html for details on how identities are parsed and may be configured.

Maybe we should mention certificate matching here briefly was well.


For example:

.. code-block::

Connection: Branch-A

Local Authentication:
Authentication: Public Key
ID: vpn.example.com

Remote Authentication:
Authentication: EAP-MSCHAPv2
ID: branch-a-user

This means the local system authenticates as :code:`vpn.example.com` using a public key, while the remote
side is expected to authenticate as :code:`branch-a-user` using EAP-MSCHAPv2.

.. Important::

IKEv1 and IKEv2 have different historical behavior when it comes to IKE identities. In practice,
it's generally recommended to explicitly set all ID values in the connection local/remote authentication,
as well as the local/remote IDs of the pre-shared keys or local IDs for key-pairs. Leaving these empty
will often default to the local IP on the local side and :code:`%any` for the remote side. This means
that if you have PSKs linked to your local IP, these are elligible to be used for other connections
Copy link
Copy Markdown
Member

@AdSchellevis AdSchellevis May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think pre-shared keys are a bit of an odd duck here as they come with their own identifiers which should match (by pattern), where keypairs are simply matched by their public key (and ids are only used to match the connection).

When it comes to roadwarriors, remote is almost always set to %any (blank) as far as I know.

as well.


.. Tip::

If you have configured the correct PSK on both peers, but the tunnel is still not authenticating,
look for lines in the log on the **responder** side matching something like:

:code:`looking for peer configs matching 203.00.113.10[moon.strongswan.org]...198.51.100.20[carol@strongswan.org]`

The parts outside brackets are the IKE SA IPs and the bracketed parts are IKE identities.
This will quickly show you if one of the peers expects a differente IKE Identity.


.................................
Road Warriors / Mobile users
.................................
Expand Down