IPsec Pre-Shared Keys Tab

The Pre-Shared Keys tab under VPN > IPsec defines key and identifier pairs which are used for authenticating IPsec tunnels. Primarily this is intended for use with mobile IPsec but there are occasional use cases for site-to-site tunnels as well.


A string used to identify a peer. This is typically a username, a hostname, an E-mail address, or an IP address.

Secret Type:

The type of secret to associate with this identity. It can be one of two types:


A traditional pre-shared key for use with most IKEv1 mobile IPsec configurations, site-to-site tunnels, and similar use cases.


An EAP key for use with IKEv2 mobile IPsec EAP-MSCHAPv2 authentication.

Pre-Shared Key:

The contents of the key. As with a pre-shared key on an IPsec tunnel, this should be as long and complex as feasible. However, since this may be manually entered by a human in a manner similar to a password it might need to be more user-friendly than the key for a site-to-site tunnel.


The contents of these passwords must be known to the IPsec daemon and thus they must be stored in plain text (Password Storage Security Policies). If this is not acceptable, consider using RADIUS-based authentication instead.

Additional options are available for EAP type keys:

Identifier Type:

Manually sets the type of the Identifier field to override automatic behavior.

See also

See Phase 1 Proposal (Authentication) for explanations of the different identifier types.

Virtual Address Pool:

A static IP address to assign to this particular peer. Leave blank to assign a random address from the pool defined on the Mobile Clients tab.


This configuration creates a new pool which must not overlap existing pools. As such, this address must be outside of the pool defined on the Mobile Clients tab and different from any other pool defined on other PSK tab entries.

DNS Server:

A DNS server that the firewall will push to only this peer. Leave blank to use the DNS server value(s) from the Mobile Clients tab.