If you wish to use preshared keys, your ipsec.secrets should look like the following:

%any <router ip address>: PSK "<your preshared key>"

if you are dealing with roadwarriors with dynamic ip addresses. If you know the ip address of the endpoint and you do not wish to share the same key amongst multiple roadwarriors, you have the option of specifying the ip address instead of "%any." If you don't want to share keys, and you don't kow the ip addresses of your clients, certificates are your only real option.

Your ipsec gateway's certificate can either have its private key extracted (using fswcert as in Step 2) and put in the ipsec.secrets file, or it can be stored in the /etc/ipsec.d/private directory (in either der or pem format) and be referenced in ipsec.secrets by filename with an optional passphrase.

If you choose to extract the key and keep the whole thing in ipsec.secrets directly, your ipsec.secrets file will look like this:

: RSA {
        Modulus:         0xB664D963F28A...
        PublicExponent:  0x010001
        PrivateExponent: 0x518CA9BE0C55...
        Prime1:          0xED48CBD214FC...
        Prime2:          0xC4C7B7244774...
        Exponent1:       0x314D4BD435BA...
        Exponent2:       0x6237A8E2B3C3...
        Coefficient:     0xCEA15F52310E...
  }

Except the long strings of gibberish will be much longer. The : RSA must start at the left margin, but every other line must be indented (spaces or tabs will do). The file MUST have no more than 700 permissions and be owned by root to be secure.

Otherwise, put the private key (serverKey.pem from Step 2) in /etc/ipsec.d/private, secure it with an optional passphrase (recommended) and reference it in the ipsec.secrets file like so:

: RSA serverKey.pem "<optional passphrase>"