Hi Subhajit, > 1. In most of deployment tunnel authentication is bypassed. So, even if UE > send CERTREQ, it is getting ignored at ePDG. ePDG also doesn't send anything > to UE. > Do you have any idea of how to implement that in strongswan or have you > explored that earlier? I saw that in 3gpp 33.402 and RFC 5996, certificate > things are optional.
I didn't looked into it. I tested the ePDG with some Android phones (I also tested it once with an iphone, while osmo-epdg was still developing). Ususally a ePDG is reachable via a 3gppnetwork.org domain, but I didn't had access to one, so I never tested it with the certificate. There is tunnel authentication, but not via a certificate, because the EAP-AKA allows to validate both ends and provides authenticity. > However, I know that strongswan authentication is tightly coupled, so just > trying understand if you have already bypass it by doing any changes in > strongswan or atleast know how it should be done. > > 2. There are many error and status codes written in ePDG standard 24.302 > clause 8. Have you mapped all EPC core error to corresponding IKEv2 error or > status codes? No, this is still a TODO. The osmo-ePDG doesn't generate the Notify messages containing such errors. Best, lynxis
