Hi Peter, > Looking at RFC 4306 for the packet format, there is no mentioning of APN.
IKEv2 does not know the term APN, only 3GPP does. So this is not specified in the IKEv2 standard that is implemented by strongSwan, but only on that upper level 3GPP standard that uses IKEv2. It is probably no problem to follow your 3GPP spec when configuring strongSwan, though. > Looking at the Strongswan source, I did not find any implementation of > sending the APN in the IDr ? strongSwan sends the IDr request in the first IKE_AUTH message as initiator if it is set by the configuration. For an ipsec.conf based configuration, basically all you need is to set rightid to a non-wildcard value. In most of our test scenarios IDr is sent, have a look at the daemon.log in [1] as an example. But it is omitted if rightid is %any or has a wildcard, as seen in [2]. > The comment in method build_i suggests that IDr is optional? Yes, it is. If the initiator knows the responder identity, it enforces it using the IDr payload. To avoid that, you also can use the % rightid prefix, refer to the ipsec.conf manpage for details. Regards Martin [1]https://www.strongswan.org/uml/testresults/ikev2/rw-psk-fqdn/index.html [2]https://www.strongswan.org/uml/testresults/ikev2/rw-psk-no-idr/index.html _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
