Hi, I'm trying to set up an ipsec connection with an ePDG. The authentication is based on eap-tls method between strongswan client and AAA server : client ---->ePDG------>AAA
My problem is the "ID" field value sent from strongswan client to ePDG in the first IKE_AUTH message, in case of eap-tls authentication. The "ID" filed has the following type : "IKEV2_ID_TYPE_DER_ASN1_DN" and its value is an hex encoded sequence : "3073310B3009060......" After receiving the IKE_AUTH message, the ePDG sends a Diameter EAP Request to AAA. In this message, the "User-Name" AVP is badly encoded as following : 0s1.0...U....<my_country_code>1.0...U... <my_state>1.0...U....<Locality>1.0...U. ..<my_organization>1.0 ..U....<my_organization_unit>1.0...U....<my_client_common_name> However I can distinguish the information (country, state...) i used to generate my client auto signed certificate. Due to this malformed AVP the authentication fails. I don't think the ePDG is badly converting the IKE_AUTH ID hex sequence to User-Name AVP. When i convert to string the IKE_AUTH ID hex sequence sent by strongswan client, i get the same malformed string displayed by the ePDG debug in User-Name AVP value sent to AAA, like the example above. In case of a simple eap-mschapv2 authentication, the IKE_AUTH "ID" field type is : "IKEV2_ID_TYPE_RFC822_ADDR" and its value is the same as the "left id" i configured in the "ipsec.conf" file, which means <user_name>@<realm>. Here, the "User-Name" Diameter AVP value is equal to the "left id" and IKE_AUTH ID. Authentication is successful because AAA can recognize the user by matching on <user_name>. Even if eap-tls is based on certificates to do mutual authentication, i need to use the following user name format "<user_name>@<realm>" to correctly find my user in users file before authenticating him. Is it possible with strongswan to use the "left id" value in the IKE_AUTH ID even if the used authentication method is eap-tls ? If not, i can change the way i locate my user in the user file by modifying my policy flow. But in this case, IKE_AUTH ID has to be correctly encoded so as the ePDG can affect correctly it's value to Diameter "User-Name" AVP. I can then match on the certificate "Common Name" field for example. May the size of the certificate or the type (auto signed) affect the successful encoding of the IKE_AUTH ID ? Any ideas or solutions to check or investigate ? Thanks a lot, Marwane
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
