IPsec Pre-Shared Keys Tab

The Pre-Shared Keys tab under VPN > IPsec defines key and identifier pairs which are used for authenticating IPsec tunnels. Primarily this is intended for use with mobile IPsec but there are occasional use cases for site-to-site tunnels as well.


A string used to identify a peer. This is typically a username, a hostname, an E-mail address, or an IP address.

Secret Type

The type of secret to associate with this identity. It can be one of two types:


A traditional pre-shared key for use with most IKEv1 mobile IPsec configurations, site-to-site tunnels, and similar use cases.


An EAP key for use with IKEv2 mobile IPsec EAP-MSCHAPv2 authentication.

Pre-Shared Key

The contents of the key. As with a pre-shared key on an IPsec tunnel, this should be as long and complex as feasible. However, since this may be manually entered by a human in a manner similar to a password it might need to be more user-friendly than the key for a site-to-site tunnel.


The contents of these passwords must be known to the IPsec daemon and thus they must be stored in plain text (Password Storage Security Policies). If this is not acceptable, consider using RADIUS-based authentication instead.

Additional options are available for EAP type keys:

Identifier Type

Manually sets the type of the Identifier field to override automatic behavior.

See also

See Phase 1 Proposal (Authentication) for explanations of the different identifier types.

Virtual Address Pool

A static IP address to assign to this particular peer. Leave blank to assign a random address from the pool defined on the Mobile Clients tab.

DNS Server

A DNS server that the firewall will push to only this peer. Leave blank to use the DNS server value(s) from the Mobile Clients tab.