# IPsec：与对端203.0.113.5的IKE SA认证失败，预共享密钥不匹配

- **ID:** `networking/ipsec-ike-sa-authentication-failure`
- **领域:** networking
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 92%

## 根因

互联网密钥交换（IKE）安全关联无法建立，因为本地设备配置的预共享密钥（PSK）与远程对端的PSK不匹配，导致第一阶段协商期间认证失败。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| strongSwan 5.9.8 | active | — | — |
| Libreswan 4.12 | active | — | — |
| Linux kernel 6.2 (XFRM) | active | — | — |

## 解决方案

1. ```
   cat /etc/ipsec.secrets | grep 203.0.113.5
   ```
2. ```
   In ipsec.conf, change 'authby=secret' to 'authby=rsasig' and configure certificates.
   ```

## 无效尝试

- **Restarting strongSwan or Libreswan to clear the error.** — Does not change the PSK configuration; the same mismatch persists after restart, and authentication will fail again. (95% 失败率)
- **Modifying the IKE proposal to use different algorithms in hopes of bypassing the error.** — The authentication failure is due to PSK mismatch, not algorithm incompatibility; changing proposals does not affect PSK validation. (85% 失败率)