From c106f77cdd74f46bc48d789925772a74c1d9cf70 Mon Sep 17 00:00:00 2001 From: Stephan de Wit Date: Thu, 28 May 2026 11:12:53 +0200 Subject: [PATCH] ipsec: elaborate on PSK gotcha (#886) --- source/manual/how-tos/ipsec-s2s-conn-route.rst | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/source/manual/how-tos/ipsec-s2s-conn-route.rst b/source/manual/how-tos/ipsec-s2s-conn-route.rst index fc9b5f6a..afaa492c 100644 --- a/source/manual/how-tos/ipsec-s2s-conn-route.rst +++ b/source/manual/how-tos/ipsec-s2s-conn-route.rst @@ -135,9 +135,19 @@ Id **hostB** **hostA** .. Note:: - Secrets for both ends need to be added to ":menuselection:`VPN->IPsec->Pre-Shared Keys`", site A needs a secret - set for local identifier :code:`hostB`. Optionally one may also set a second (remote) identifier in which case the secret - belongs to these two identifiers. + A pre-shared key needs to be added to ":menuselection:`VPN->IPsec->Pre-Shared Keys`". Set :code:`hostA` for + local identifier and :code:`hostB` for remote identifier. + + While the remote identifier is optional, keep in mind that not specifying it will make this PSK elligible to + be used for different connections using the same local ID as well. It is generally recommended to + be as specific as possible. + + +.. Tip:: + + If you have an ID specified in the Remote Authentication grid in a connection, then this connection + now expects the other end to identifiy itself with this ID. Make sure this reflects reality, as some + systems do not allow you to set a specific ID and can default to their local IP address instead. ..................... Children