Hi Emeric, > To sum up, for compatibility reason, as soon as there is something other than > an IP address, we have to activate the > "i_dont_care_about_security_and_use_aggressive_mode_psk" option?
The charon daemon, since 5.5.2, does a config lookup based on the IP addresses and then searches for PSKs based on the configured identities, only if that does not yield a secret will the PSK lookup be based on the IPs, see [1]. So you could use identities other than IPs, at least if the configs can be matched properly (e.g. based on the IPs or hostnames there). Otherwise, you will have to use aggressive mode. But before you do that you should rather switch to certificates or even IKEv2. Regards, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/phase1.c;h=adce59f7ed21b7dccd2b2fb7b39f0163b1e27135;hb=HEAD#l147