date:20161011

Re: [strongSwan] Strongswan AUTH payload signature hash algorithm for certificate based authentication

2016-10-11 Thread Andreas Steffen

Hi Kalyiani,

compliant with RFC 5996, strongSwan generates the RSA public key
signature embedded in the AUTH payload with a SHA1 hash independent
of the HASH and PRF algorithm selected for IKEv2.

In addition to this legacy mechanism, strongSwan supports RFC 7427
"Signature Authentication in IKEv2"

  https://tools.ietf.org/html/rfc7427

where depending on the capabilities of the peer either SHA1, SHA256,
SHA384 or SHA512 based digital signatures are possible.

Starting with strongswan 5.3.0, "Signature Authentication" is enabled
by default and if the peer supports RFC 7427 usually SHA256 is chosen
implicitly with a 2048 bit or 3072 bit RSA key. The digest strength
of the  AUTH payload of type "Digital Signature" can also be configured
explicitly if desired.

Best regards

Andreas

On 11.10.2016 19:20, Kalyani Garigipati (kagarigi) wrote:
> Hi,
> 
> I am trying to bring up ikev2 sa between strongswan and cisco router.
> 
> The authentication method used is certificates and prf algorithm is SHA256.
> 
> · I wanted to know what is the hash algorithm that is used while
> generating the signature in AUTH payload for strongswan.
> 
> Is it SHA1 or SHA256 ?
> 
> · I observed that if I generate the signature in AUTH payload
> using SHA256, it fails the signature validation
> 
> If I generate the signature in authentication payload using SHA1 , it
> passes the signature validation.
> 
> RFC quotes below in page 94 of 5996
> 
> RSA Digital Signature  1
> 
>   Computed as specified in Section 2.15
>  using an RSA private key
> 
>   with RSASSA-PKCS1-v1_5 signature scheme specified in [PKCS1
> ]
>   (implementers should note that IKEv1 used a different method for> 
>   RSA signatures).  To promote interoperability, implementations
>   that support this type SHOULD support signatures that use SHA-1
>   as the hash function and SHOULD use SHA-1 as the default hash
>   function when generating signatures
> 
> Regards,
> 
> kalyani

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan AUTH payload signature hash algorithm for certificate based authentication

2016-10-11 Thread Kalyani Garigipati (kagarigi)

Hi,

I am trying to bring up ikev2 sa between strongswan and cisco router.
The authentication method used is certificates and prf algorithm is SHA256.


· I wanted to know what is the hash algorithm that is used while 
generating the signature in AUTH payload for strongswan.
Is it SHA1 or SHA256 ?


· I observed that if I generate the signature in AUTH payload using 
SHA256, it fails the signature validation
If I generate the signature in authentication payload using SHA1 , it passes 
the signature validation.

RFC quotes below in page 94 of 5996

RSA Digital Signature  1
  Computed as specified in Section 
2.15 using an RSA private key
  with RSASSA-PKCS1-v1_5 signature scheme specified in 
[PKCS1]
  (implementers should note that IKEv1 used a different method for
  RSA signatures).  To promote interoperability, implementations
  that support this type SHOULD support signatures that use SHA-1
  as the hash function and SHOULD use SHA-1 as the default hash
  function when generating signatures


Regards,
kalyani


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Ravi Kanth Vanapalli

>From the code it looks like, identity set using AUTH_RULE_EAP_IDENTITY is
used only in the EAP Identity rounds .
This identity is not being used for id check in API find_private_key in
tls_peer.c

Thanks,
Ravikanth

On Tue, Oct 11, 2016 at 12:09 PM, Ravi Kanth Vanapalli <
vvnrk.vanapa...@gmail.com> wrote:

> Dear Andreas,
>Looks my issue is not solved yet.
>   I have modified the  identity with the statement below
> (1) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id2);
>
> But still EAP-TLS is looking for Idenity set with
>
> 1) auth->add(auth, AUTH_RULE_IDENTITY, id1);
>
> Can you please help me with this issue.
>
> Thanks,
> Ravikanth
>
> On Tue, Oct 11, 2016 at 12:02 PM, Ravi Kanth Vanapalli <
> vvnrk.vanapa...@gmail.com> wrote:
>
>> Dear Andreas,
>>   Thank you for your valuable inputs. My issue is solved now.
>>
>> Thanks,
>> Ravikanth
>>
>> On Tue, Oct 11, 2016 at 8:47 AM, Andreas Steffen <
>> andreas.stef...@strongswan.org> wrote:
>>
>>> aaa_identity is used by an EAP client to verify the identity
>>> in the TLS server certificate if it is different from the IKEv2
>>> server certificate.
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote:
>>> > Adding option (3) here.
>>> >
>>> > 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)
>>> >
>>> > Which of the following identities (1),2 or 3 is used to fetch the
>>> > private key in EAP_TLS authentcation.
>>> >
>>> >
>>> > On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli
>>> > mailto:vvnrk.vanapa...@gmail.com>> wrote:
>>> >
>>> > Sure Andreas. Thank you for this valuable input. I will give a try.
>>> >
>>> > Could you please confirm the difference between 1 and 2 below
>>> >
>>> > 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
>>> > 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
>>> >
>>> > My understanding is that (1) is used to fill the IDi in the first
>>> > IKE_AUTH message.
>>> > Second one is used for Identitiy verification in EAP methods.  eg.
>>> > EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching
>>> > the private certificate.
>>> > (1) and (2) can be different.
>>> >
>>> > Kindly confirm that my understanding is correct.
>>> >
>>> > Thanks,
>>> > Ravikanth
>>> >
>>> > On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
>>> > >> > > wrote:
>>> >
>>> > Hi Ravi,
>>> >
>>> > why don't you use the eap_identity parameter?
>>> >
>>> > Regards
>>> >
>>> > Andreas
>>> >
>>> > On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
>>> > > Hi all,
>>> > >
>>> > > I have a situation wherein I need to alter the IDi slightly
>>> > before the
>>> > > EAP-TLS authentication proceeds. I.e IDi in the first
>>> IKE_AUTH
>>> > message
>>> > > should be different to IDi to be used for user private key
>>> > lookup in the
>>> > > EAP-TLS user authentication.
>>> > >
>>> > > I see that the API 'eap_tls_create_peer' is being used, to
>>> > initialize
>>> > > the peer identitiy in TLSplugin.
>>> > > This is being registered with plugin eap_tls_plugin.c
>>> > >
>>> > > I am finding it difficult to know which module calls this API
>>> > > eap_tls_create_peer to initialize EAP TLS peer identity.
>>> > >
>>> > > Kindly provide any inputs regarding my issue.
>>> > >
>>> > > Thank you very much.
>>> > >
>>> > > --
>>> > > Regards,
>>> > > RaviKanth
>>> >
>>> > ===
>>> ===
>>> > Andreas Steffen
>>> >  andreas.stef...@strongswan.org
>>> > 
>>> > strongSwan - the Open Source VPN Solution!
>>> > www.strongswan.org 
>>> > Institute for Internet Technologies and Applications
>>> > University of Applied Sciences Rapperswil
>>> > CH-8640 Rapperswil (Switzerland)
>>> > ===
>>> [ITA-HSR]==
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Regards,
>>> >
>>> > RaviKanth VN Vanapalli
>>> > Email: vvnrk.vanapa...@gmail.com >> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Regards,
>>> >
>>> > RaviKanth VN Vanapalli
>>> >
>>>
>>> --
>>> ==
>>> Andreas Steffen andreas.stef...@strongswan.org
>>> strongSwan - the Open Source VPN Solution!  www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===[ITA-HSR]==
>>>
>>>
>>
>>
>> --
>> Regards,
>>
>> RaviK

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Ravi Kanth Vanapalli

Dear Andreas,
   Looks my issue is not solved yet.
  I have modified the  identity with the statement below
(1) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id2);

But still EAP-TLS is looking for Idenity set with

1) auth->add(auth, AUTH_RULE_IDENTITY, id1);

Can you please help me with this issue.

Thanks,
Ravikanth

On Tue, Oct 11, 2016 at 12:02 PM, Ravi Kanth Vanapalli <
vvnrk.vanapa...@gmail.com> wrote:

> Dear Andreas,
>   Thank you for your valuable inputs. My issue is solved now.
>
> Thanks,
> Ravikanth
>
> On Tue, Oct 11, 2016 at 8:47 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> aaa_identity is used by an EAP client to verify the identity
>> in the TLS server certificate if it is different from the IKEv2
>> server certificate.
>>
>> Regards
>>
>> Andreas
>>
>> On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote:
>> > Adding option (3) here.
>> >
>> > 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)
>> >
>> > Which of the following identities (1),2 or 3 is used to fetch the
>> > private key in EAP_TLS authentcation.
>> >
>> >
>> > On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli
>> > mailto:vvnrk.vanapa...@gmail.com>> wrote:
>> >
>> > Sure Andreas. Thank you for this valuable input. I will give a try.
>> >
>> > Could you please confirm the difference between 1 and 2 below
>> >
>> > 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
>> > 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
>> >
>> > My understanding is that (1) is used to fill the IDi in the first
>> > IKE_AUTH message.
>> > Second one is used for Identitiy verification in EAP methods.  eg.
>> > EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching
>> > the private certificate.
>> > (1) and (2) can be different.
>> >
>> > Kindly confirm that my understanding is correct.
>> >
>> > Thanks,
>> > Ravikanth
>> >
>> > On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
>> > > > > wrote:
>> >
>> > Hi Ravi,
>> >
>> > why don't you use the eap_identity parameter?
>> >
>> > Regards
>> >
>> > Andreas
>> >
>> > On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
>> > > Hi all,
>> > >
>> > > I have a situation wherein I need to alter the IDi slightly
>> > before the
>> > > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH
>> > message
>> > > should be different to IDi to be used for user private key
>> > lookup in the
>> > > EAP-TLS user authentication.
>> > >
>> > > I see that the API 'eap_tls_create_peer' is being used, to
>> > initialize
>> > > the peer identitiy in TLSplugin.
>> > > This is being registered with plugin eap_tls_plugin.c
>> > >
>> > > I am finding it difficult to know which module calls this API
>> > > eap_tls_create_peer to initialize EAP TLS peer identity.
>> > >
>> > > Kindly provide any inputs regarding my issue.
>> > >
>> > > Thank you very much.
>> > >
>> > > --
>> > > Regards,
>> > > RaviKanth
>> >
>> > ===
>> ===
>> > Andreas Steffen
>> >  andreas.stef...@strongswan.org
>> > 
>> > strongSwan - the Open Source VPN Solution!
>> > www.strongswan.org 
>> > Institute for Internet Technologies and Applications
>> > University of Applied Sciences Rapperswil
>> > CH-8640 Rapperswil (Switzerland)
>> > ===
>> [ITA-HSR]==
>> >
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> > RaviKanth VN Vanapalli
>> > Email: vvnrk.vanapa...@gmail.com 
>> >
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> > RaviKanth VN Vanapalli
>> >
>>
>> --
>> ==
>> Andreas Steffen andreas.stef...@strongswan.org
>> strongSwan - the Open Source VPN Solution!  www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===[ITA-HSR]==
>>
>>
>
>
> --
> Regards,
>
> RaviKanth VN Vanapalli
> Ph: (469) 999 7567
> Email: vvnrk.vanapa...@gmail.com
>



-- 
Regards,

RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: vvnrk.vanapa...@gmail.com
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Ravi Kanth Vanapalli

Dear Andreas,
  Thank you for your valuable inputs. My issue is solved now.

Thanks,
Ravikanth

On Tue, Oct 11, 2016 at 8:47 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> aaa_identity is used by an EAP client to verify the identity
> in the TLS server certificate if it is different from the IKEv2
> server certificate.
>
> Regards
>
> Andreas
>
> On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote:
> > Adding option (3) here.
> >
> > 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)
> >
> > Which of the following identities (1),2 or 3 is used to fetch the
> > private key in EAP_TLS authentcation.
> >
> >
> > On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli
> > mailto:vvnrk.vanapa...@gmail.com>> wrote:
> >
> > Sure Andreas. Thank you for this valuable input. I will give a try.
> >
> > Could you please confirm the difference between 1 and 2 below
> >
> > 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
> > 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
> >
> > My understanding is that (1) is used to fill the IDi in the first
> > IKE_AUTH message.
> > Second one is used for Identitiy verification in EAP methods.  eg.
> > EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching
> > the private certificate.
> > (1) and (2) can be different.
> >
> > Kindly confirm that my understanding is correct.
> >
> > Thanks,
> > Ravikanth
> >
> > On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
> >  > > wrote:
> >
> > Hi Ravi,
> >
> > why don't you use the eap_identity parameter?
> >
> > Regards
> >
> > Andreas
> >
> > On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
> > > Hi all,
> > >
> > > I have a situation wherein I need to alter the IDi slightly
> > before the
> > > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH
> > message
> > > should be different to IDi to be used for user private key
> > lookup in the
> > > EAP-TLS user authentication.
> > >
> > > I see that the API 'eap_tls_create_peer' is being used, to
> > initialize
> > > the peer identitiy in TLSplugin.
> > > This is being registered with plugin eap_tls_plugin.c
> > >
> > > I am finding it difficult to know which module calls this API
> > > eap_tls_create_peer to initialize EAP TLS peer identity.
> > >
> > > Kindly provide any inputs regarding my issue.
> > >
> > > Thank you very much.
> > >
> > > --
> > > Regards,
> > > RaviKanth
> >
> > 
> ==
> > Andreas Steffen
> >  andreas.stef...@strongswan.org
> > 
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org 
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===[
> ITA-HSR]==
> >
> >
> >
> >
> > --
> > Regards,
> >
> > RaviKanth VN Vanapalli
> > Email: vvnrk.vanapa...@gmail.com 
> >
> >
> >
> >
> > --
> > Regards,
> >
> > RaviKanth VN Vanapalli
> >
>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
>
>


-- 
Regards,

RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: vvnrk.vanapa...@gmail.com
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Andreas Steffen

aaa_identity is used by an EAP client to verify the identity
in the TLS server certificate if it is different from the IKEv2
server certificate.

Regards

Andreas

On 11.10.2016 13:36, Ravi Kanth Vanapalli wrote:
> Adding option (3) here.
> 
> 3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)
> 
> Which of the following identities (1),2 or 3 is used to fetch the
> private key in EAP_TLS authentcation.
> 
> 
> On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli
> mailto:vvnrk.vanapa...@gmail.com>> wrote:
> 
> Sure Andreas. Thank you for this valuable input. I will give a try.
> 
> Could you please confirm the difference between 1 and 2 below
> 
> 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
> 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
> 
> My understanding is that (1) is used to fill the IDi in the first
> IKE_AUTH message.
> Second one is used for Identitiy verification in EAP methods.  eg.
> EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching
> the private certificate.
> (1) and (2) can be different.
> 
> Kindly confirm that my understanding is correct.
> 
> Thanks,
> Ravikanth
> 
> On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
>  > wrote:
> 
> Hi Ravi,
> 
> why don't you use the eap_identity parameter?
> 
> Regards
> 
> Andreas
> 
> On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
> > Hi all,
> >
> > I have a situation wherein I need to alter the IDi slightly
> before the
> > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH
> message
> > should be different to IDi to be used for user private key
> lookup in the
> > EAP-TLS user authentication.
> >
> > I see that the API 'eap_tls_create_peer' is being used, to
> initialize
> > the peer identitiy in TLSplugin.
> > This is being registered with plugin eap_tls_plugin.c
> >
> > I am finding it difficult to know which module calls this API
> > eap_tls_create_peer to initialize EAP TLS peer identity.
> >
> > Kindly provide any inputs regarding my issue.
> >
> > Thank you very much.
> >
> > --
> > Regards,
> > RaviKanth
> 
> ==
> Andreas Steffen   
>  andreas.stef...@strongswan.org
> 
> strongSwan - the Open Source VPN Solution! 
> www.strongswan.org 
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
> 
> 
> 
> 
> -- 
> Regards,
> 
> RaviKanth VN Vanapalli
> Email: vvnrk.vanapa...@gmail.com 
> 
> 
> 
> 
> -- 
> Regards,
> 
> RaviKanth VN Vanapalli
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Andreas Steffen

Hi Ravi,

yes, your understanding is correct.

Regards

Andraes

On 11.10.2016 13:28, Ravi Kanth Vanapalli wrote:
> Sure Andreas. Thank you for this valuable input. I will give a try.
> 
> Could you please confirm the difference between 1 and 2 below
> 
> 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
> 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
> 
> My understanding is that (1) is used to fill the IDi in the first
> IKE_AUTH message.
> Second one is used for Identitiy verification in EAP methods.  eg.
> EAP-TLS uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the
> private certificate.
> (1) and (2) can be different.
> 
> Kindly confirm that my understanding is correct.
> 
> Thanks,
> Ravikanth
> 
> On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
> mailto:andreas.stef...@strongswan.org>>
> wrote:
> 
> Hi Ravi,
> 
> why don't you use the eap_identity parameter?
> 
> Regards
> 
> Andreas
> 
> On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
> > Hi all,
> >
> > I have a situation wherein I need to alter the IDi slightly before the
> > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
> > should be different to IDi to be used for user private key lookup
> in the
> > EAP-TLS user authentication.
> >
> > I see that the API 'eap_tls_create_peer' is being used, to initialize
> > the peer identitiy in TLSplugin.
> > This is being registered with plugin eap_tls_plugin.c
> >
> > I am finding it difficult to know which module calls this API
> > eap_tls_create_peer to initialize EAP TLS peer identity.
> >
> > Kindly provide any inputs regarding my issue.
> >
> > Thank you very much.
> >
> > --
> > Regards,
> > RaviKanth
> 
> ==
> Andreas Steffen   
>  andreas.stef...@strongswan.org 
> strongSwan - the Open Source VPN Solution! 
> www.strongswan.org 
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
> 
> 
> 
> 
> -- 
> Regards,
> 
> RaviKanth VN Vanapalli
> Ph: (469) 999 7567
> Email: vvnrk.vanapa...@gmail.com 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Ravi Kanth Vanapalli

Adding option (3) here.

3) auth->add(auth, AUTH_RULE_AAA_IDENTITY, id)

Which of the following identities (1),2 or 3 is used to fetch the private
key in EAP_TLS authentcation.


On Tue, Oct 11, 2016 at 7:28 AM, Ravi Kanth Vanapalli <
vvnrk.vanapa...@gmail.com> wrote:

> Sure Andreas. Thank you for this valuable input. I will give a try.
>
> Could you please confirm the difference between 1 and 2 below
>
> 1) auth->add(auth, AUTH_RULE_IDENTITY, id);
> 2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);
>
> My understanding is that (1) is used to fill the IDi in the first IKE_AUTH
> message.
> Second one is used for Identitiy verification in EAP methods.  eg. EAP-TLS
> uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the private
> certificate.
> (1) and (2) can be different.
>
> Kindly confirm that my understanding is correct.
>
> Thanks,
> Ravikanth
>
> On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> Hi Ravi,
>>
>> why don't you use the eap_identity parameter?
>>
>> Regards
>>
>> Andreas
>>
>> On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
>> > Hi all,
>> >
>> > I have a situation wherein I need to alter the IDi slightly before the
>> > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
>> > should be different to IDi to be used for user private key lookup in the
>> > EAP-TLS user authentication.
>> >
>> > I see that the API 'eap_tls_create_peer' is being used, to initialize
>> > the peer identitiy in TLSplugin.
>> > This is being registered with plugin eap_tls_plugin.c
>> >
>> > I am finding it difficult to know which module calls this API
>> > eap_tls_create_peer to initialize EAP TLS peer identity.
>> >
>> > Kindly provide any inputs regarding my issue.
>> >
>> > Thank you very much.
>> >
>> > --
>> > Regards,
>> > RaviKanth
>>
>> ==
>> Andreas Steffen andreas.stef...@strongswan.org
>> strongSwan - the Open Source VPN Solution!  www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===[ITA-HSR]==
>>
>>
>
>
> --
> Regards,
>
> RaviKanth VN Vanapalli
> Email: vvnrk.vanapa...@gmail.com
>



-- 
Regards,

RaviKanth VN Vanapalli
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Ravi Kanth Vanapalli

Sure Andreas. Thank you for this valuable input. I will give a try.

Could you please confirm the difference between 1 and 2 below

1) auth->add(auth, AUTH_RULE_IDENTITY, id);
2) auth->add(auth, AUTH_RULE_EAP_IDENTITY, id);

My understanding is that (1) is used to fill the IDi in the first IKE_AUTH
message.
Second one is used for Identitiy verification in EAP methods.  eg. EAP-TLS
uses identity added in AUTH_RULE_EAP_IDENTITY for fetching the private
certificate.
(1) and (2) can be different.

Kindly confirm that my understanding is correct.

Thanks,
Ravikanth

On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Ravi,
>
> why don't you use the eap_identity parameter?
>
> Regards
>
> Andreas
>
> On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
> > Hi all,
> >
> > I have a situation wherein I need to alter the IDi slightly before the
> > EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
> > should be different to IDi to be used for user private key lookup in the
> > EAP-TLS user authentication.
> >
> > I see that the API 'eap_tls_create_peer' is being used, to initialize
> > the peer identitiy in TLSplugin.
> > This is being registered with plugin eap_tls_plugin.c
> >
> > I am finding it difficult to know which module calls this API
> > eap_tls_create_peer to initialize EAP TLS peer identity.
> >
> > Kindly provide any inputs regarding my issue.
> >
> > Thank you very much.
> >
> > --
> > Regards,
> > RaviKanth
>
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
>
>


-- 
Regards,

RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: vvnrk.vanapa...@gmail.com
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Andreas Steffen

Hi Ravi,

why don't you use the eap_identity parameter?

Regards

Andreas

On 10.10.2016 22:13, Ravi Kanth Vanapalli wrote:
> Hi all,
> 
> I have a situation wherein I need to alter the IDi slightly before the
> EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message
> should be different to IDi to be used for user private key lookup in the
> EAP-TLS user authentication.
> 
> I see that the API 'eap_tls_create_peer' is being used, to initialize
> the peer identitiy in TLSplugin.
> This is being registered with plugin eap_tls_plugin.c 
> 
> I am finding it difficult to know which module calls this API
> eap_tls_create_peer to initialize EAP TLS peer identity. 
> 
> Kindly provide any inputs regarding my issue.
> 
> Thank you very much.
> 
> -- 
> Regards,
> RaviKanth

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan AUTH payload signature hash algorithm for certificate based authentication

[strongSwan] Strongswan AUTH payload signature hash algorithm for certificate based authentication

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

10 matches

Site Navigation

Mail list logo

Footer information