# IPsec: IKE SA authentication failed with peer 203.0.113.5, pre-shared key mismatch

- **ID:** `networking/ipsec-ike-sa-authentication-failure`
- **Domain:** networking
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 92%

## Root Cause

The Internet Key Exchange (IKE) security association could not be established because the pre-shared key (PSK) configured on the local device does not match the PSK on the remote peer, causing authentication failure during Phase 1 negotiation.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| strongSwan 5.9.8 | active | — | — |
| Libreswan 4.12 | active | — | — |
| Linux kernel 6.2 (XFRM) | active | — | — |

## Workarounds

1. **cat /etc/ipsec.secrets | grep 203.0.113.5** (95% success)
   ```
   cat /etc/ipsec.secrets | grep 203.0.113.5
   ```
2. **In ipsec.conf, change 'authby=secret' to 'authby=rsasig' and configure certificates.** (85% success)
   ```
   In ipsec.conf, change 'authby=secret' to 'authby=rsasig' and configure certificates.
   ```

## Dead Ends

- **Restarting strongSwan or Libreswan to clear the error.** — Does not change the PSK configuration; the same mismatch persists after restart, and authentication will fail again. (95% fail)
- **Modifying the IKE proposal to use different algorithms in hopes of bypassing the error.** — The authentication failure is due to PSK mismatch, not algorithm incompatibility; changing proposals does not affect PSK validation. (85% fail)