How to configure StrongSwan IKEv2 VPN with PSK (pre-shared key)?

I'm looking for a configuration instructions for IKEv2 VPN that uses pre-shared keys instead of certs (those are different methods for tunnel encryption I'd assume?).

I've followed this wonderful tutorial to get IKEv2 VPN working (with certificate) and it works.

My question is what needs to be changed so that it would use PSK instead? I'd assume changes in /etc/ipsec.secrets and /etc/ipsec.conf are to be made.

My current ipsec.conf looks like this:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

UPD: Based on my tinkering and @ChandanK answer, I've made two scripts to deploy a StrongSwan VPN server on a fresh Ubuntu 16.04 install here: https://github.com/truemetal/ikev2_vpn


Assuming that you want to setup your right side with psk. This is fairly easy.

1. remove eap_identity and rightsendcert fields. 2. set rightauth=secret

Now edit /etc/ipsec.secrets file:

1. remove "your_username %any% : EAP "your_password"" line. 2. add ": PSK <your_password>"

Then reread the secrets and restart the service.

$sudo ipsec rereadsecrets $sudo ipsec reload $sudo ipsec restart

All set. Follow "Connecting from iOS" and create a new ikev2 vpn connection. In authentication settings select none and put the shared secret key. Hopefully you connect.

Edit:

Based on the comments, configuration changes required to switch to pre-shared key authentication:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    authby=secret

Remove the following line from ipsec.secrets:

server_name_or_ip : RSA "/etc/ipsec.d/private/vpn-server-key.pem

Then reread the secrets and restart the service.


Based on my tinkering and @ChandanK answer, I've made two scripts to deploy a StrongSwan VPN server on a fresh Ubuntu 16.04 install here: https://github.com/truemetal/ikev2_vpn