[strongSwan-dev] IKE_AUTH with IDi and IDr
Martin Willi
martin at strongswan.org
Mon Sep 1 08:59:17 CEST 2014
Hi Peter,
> Looking at RFC 4306 for the packet format, there is no mentioning of APN.
IKEv2 does not know the term APN, only 3GPP does. So this is not
specified in the IKEv2 standard that is implemented by strongSwan, but
only on that upper level 3GPP standard that uses IKEv2. It is probably
no problem to follow your 3GPP spec when configuring strongSwan, though.
> Looking at the Strongswan source, I did not find any implementation of
> sending the APN in the IDr ?
strongSwan sends the IDr request in the first IKE_AUTH message as
initiator if it is set by the configuration. For an ipsec.conf based
configuration, basically all you need is to set rightid to a
non-wildcard value. In most of our test scenarios IDr is sent, have a
look at the daemon.log in [1] as an example. But it is omitted if
rightid is %any or has a wildcard, as seen in [2].
> The comment in method build_i suggests that IDr is optional?
Yes, it is. If the initiator knows the responder identity, it enforces
it using the IDr payload. To avoid that, you also can use the % rightid
prefix, refer to the ipsec.conf manpage for details.
Regards
Martin
[1]https://www.strongswan.org/uml/testresults/ikev2/rw-psk-fqdn/index.html
[2]https://www.strongswan.org/uml/testresults/ikev2/rw-psk-no-idr/index.html
More information about the Dev
mailing list