[strongSwan-dev] IKE_AUTH with IDi and IDr

Thomas Egerer hakke_007 at gmx.de
Sun Aug 31 22:04:27 CEST 2014

Hash: SHA1

Hi Peter,

On 08/30/2014 12:04 AM, Peter Hsiang wrote:
> The 3GPP TS 33.402 spec (rel12) chapter 8.2.2 (top of page 33) says that the first IKE_AUTH request sends the user identity (in IDi payload) and the APN information
> (in the IDr payload). Looking at the Strongswan source, I did not find any implementation of sending the APN in the IDr ?

You should definitely have a look at the
src/libcharon/plugins/eap_aka* plugins. They certainly handle
what you are looking for.

> Looking at RFC 4306 for the packet format, there is no mentioning of APN.
Correct, that's the (meanwhile obsoleted IKEv2 standard, see
http://tools.ietf.org/html/rfc5996 for the more current version).

> Does anyone know if the APN is required, and what the IKE_AUTH message might use it for?

I guess, it's right in your document:
'[...]The ePDG sends the Authentication and Authorization Request
message to the 3GPP AAA Server, containing the user identity
and APN.  [...]'
page 33, paragraph number 3.

> Related code:
> - libcharon/encoding/payloads/id_payload.c
> - libcharon/encoding/message.c
> - libcharon/sa/ikev2/tasks/ike_auth.c  (method build_i)
> The comment in method build_i suggests that IDr is optional?

It's optional with IKEv2, EAP-AKA is quite a blank spot in
my knowledge base, but it seems to require it (judging from
your cited document).

I guess Martin will be able to shed some more light on this
tomorrow since he implemented the plugins.

Cheers, Thomas
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Dev mailing list