Skip to main content
NetApp Knowledge Base

CONTAP-689361: Different PSKs for the same IKE local and remote identity pair within the same SVM could cause IKE negotiation failure

  1. Last updated
  2. Save as PDF
Views:
3
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Issue

  • Though strongSwan allows one to configure different PSKs for the same identity tuple (SVM, local_identity, remote_identity), users should be aware that this configuration is not guaranteed to work when negotiating with a different IKE implementation.
  • When strongSwan is the initiator, it will pick the first PSK matching the identity tuple, and the responder needs to have that PSK in order to verify the IKE_AUTH message.
  • When strongSwan is the responder and an IKE_AUTH message is received, it will try all PSKs of the same identity tuple until a successful verification is reached.
  • If all PSKs are tried without verification, then it will respond with an authentication failure.
  • ONTAP will allow users to configure different PSKs for the same identity tuple. But because of the possible negotiation failure when negotiating with a non-strongSwan partner, a mgwd.log warning message will be generated.
  • The warning message is as follows:

Different PSKs for the same identities <%s> are detected. This could cause authentication failure during IKE negotiation.

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.