How to Configure StrongSwan IKEv2 VPN with Pre-Shared Key (PSK) Authentication


3 views

While certificates provide stronger security through PKI infrastructure, PSK authentication offers a simpler setup for testing or smaller deployments. The main configuration differences occur in ipsec.conf and ipsec.secrets files.

Here's the modified configuration for PSK authentication:

# /etc/ipsec.conf changes
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha256-modp1024,aes128-sha1-modp1024!
    esp=aes256-sha256,aes128-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vpn.example.com
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    eap_identity=%identity

Create or modify /etc/ipsec.secrets with your credentials:

# /etc/ipsec.secrets
: PSK "YourSecurePreSharedKeyHere"

For Windows clients using native IKEv2 with PSK:

Add-VpnConnection -Name "IKEv2-PSK-VPN" -ServerAddress "vpn.example.com" 
-TunnelType "IKEv2" -EncryptionLevel "Required" 
-AuthenticationMethod "MachineCertificate" -SplitTunneling $true 
-RememberCredential $true
  • Check logs with journalctl -u ipsec -f
  • Verify PSK format - no quotes needed for simple keys
  • Ensure matching IKE/ESP proposals on client and server

While PSK is convenient, consider these security practices:

  • Use complex keys (20+ random characters)
  • Rotate keys periodically
  • Limit source IPs when possible
  • Monitor connection attempts

When setting up IKEv2 VPN with StrongSwan, you have two primary authentication options:

  • Certificate-based: Uses X.509 certificates for mutual authentication
  • Pre-Shared Key (PSK): Uses a shared secret key string

PSK is simpler to implement but less secure than certificates. Here's how to convert your existing certificate-based setup to PSK.

The key modifications needed in ipsec.conf:

# Remove certificate-related lines:
# leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
# leftsendcert=always

# Add these PSK-specific parameters:
leftauth=psk
rightauth=psk

The secrets file needs to contain your PSK:

# /etc/ipsec.secrets
%any %any : PSK "your_strong_pre_shared_key_here"

Best practice is to generate a random 32+ character key and set strict permissions:

chmod 600 /etc/ipsec.secrets
chown root:root /etc/ipsec.secrets

Here's a full working configuration for /etc/ipsec.conf:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha256-modp2048,aes128-sha1-modp2048!
    esp=aes256-sha256,aes128-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vpn.example.com
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=psk
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    eap_identity=%identity

Windows 10/11:

Add-VpnConnection -Name "IKEv2 VPN" -ServerAddress vpn.example.com 
-TunnelType IKEv2 -AuthenticationMethod MachinePsk -EncryptionLevel Required

Android (strongSwan client):

VPN Type: IKEv2 EAP (Username/Password)
Server: vpn.example.com
Username: [any]
Password: [any]
CA Certificate: Don't validate
User Certificate: None
  • Verify PSK matches exactly on both ends (including whitespace)
  • Check logs with journalctl -u ipsec -f
  • Test connection with ike-scan -A vpn.example.com
  • Enable debug logging by increasing charondebug values

While PSK is convenient, consider these security measures:

# Recommended crypto settings for modern security:
ike=aes256gcm16-sha384-prfsha384-ecp384!
esp=aes256gcm16-ecp384!

Rotate PSKs regularly and implement firewall rules to limit connection attempts.