[strongSwan-dev] Pull request for external-authorization plugin

Martin Willi martin at strongswan.org
Thu Jul 31 10:06:06 CEST 2014

> How does it look now? The "eap" : "ike" part is to make it easy to scripts to 
> differentiate what type of identity it is.

True, but how does this scheme work if you want to pass both identities?
Or someone wants to add other options, such as the peer address,
certificate information, etc.?

With that approach, you'd end up with an argument-name argument-value
list, but the names are not that meaningful. I'd prefer environment
variables, as you won't need any argument parsing in the callee. Just
checking the value for get_other_eap_id() is sufficient in most cases,
but we definitely should consider extensibility of that interface.

> We have a conn that uses rightauth=pubkey (IKE id that is the DN of the
> X.509 cert)

With pubkey authentication, the IKE identity can be anything else than a
DN. A peer for example may use an e-mail or IP as IKE identity (which is
contained in the cert as subjectAltName). 

> So our script can parse for the email when argv[1] is ike and it knows
> it already is an email if argv[1] is eap

EAP or XAuth identities do not have to be e-mail addresses. Implying the
identity type from the getter does not work.


More information about the Dev mailing list