[strongSwan-dev] IKE_AUTH with IDi and IDr
Thomas Egerer
hakke_007 at gmx.de
Sun Aug 31 22:04:27 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Peter,
On 08/30/2014 12:04 AM, Peter Hsiang wrote:
> The 3GPP TS 33.402 spec (rel12) chapter 8.2.2 (top of page 33) says that the first IKE_AUTH request sends the user identity (in IDi payload) and the APN information
> (in the IDr payload). Looking at the Strongswan source, I did not find any implementation of sending the APN in the IDr ?
You should definitely have a look at the
src/libcharon/plugins/eap_aka* plugins. They certainly handle
what you are looking for.
> Looking at RFC 4306 for the packet format, there is no mentioning of APN.
Correct, that's the (meanwhile obsoleted IKEv2 standard, see
http://tools.ietf.org/html/rfc5996 for the more current version).
>
> Does anyone know if the APN is required, and what the IKE_AUTH message might use it for?
I guess, it's right in your document:
'[...]The ePDG sends the Authentication and Authorization Request
message to the 3GPP AAA Server, containing the user identity
and APN. [...]'
page 33, paragraph number 3.
>
>
> Related code:
>
> - libcharon/encoding/payloads/id_payload.c
>
> - libcharon/encoding/message.c
>
> - libcharon/sa/ikev2/tasks/ike_auth.c (method build_i)
>
>
>
> The comment in method build_i suggests that IDr is optional?
It's optional with IKEv2, EAP-AKA is quite a blank spot in
my knowledge base, but it seems to require it (judging from
your cited document).
I guess Martin will be able to shed some more light on this
tomorrow since he implemented the plugins.
Cheers, Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlQDf8sACgkQ2/ggQBUI/slGHQCePIR62KTK/KOciSQEEtlF8FEa
EiIAoJwJQ62Mhu1P4vnqSknflBUh3H3o
=1uHh
-----END PGP SIGNATURE-----
More information about the Dev
mailing list