[strongSwan-dev] IKE_AUTH with IDi and IDr

Peter Hsiang phsiang at nvidia.com
Tue Sep 2 23:54:49 CEST 2014

Hi Martin,

Thank you and also Thomas for the responses.
Ok I see in log [1] that there is IDr when right_id is given.  Thanks

Reading the build_i, it does not look like the IDr currently include the APN in the IDr.  Is this correct?

I want to have a stroke message containing the APN text string and somehow get it to build_i where it constructs the IKE_AUTH packet.  Is this possible in the current plugin architecture?

Is RFC5996 chapter 3.5 where it defines the packet format of IDr?  
In the current implementation, what strongswan configuration parameter corresponds to what gets placed into the IDr?  
I suppose it's different from the right_id because the right_id is usually a URL ending with a ".org", while the APN is a plain text string name.

Thanks and Best Regards,

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Sunday, August 31, 2014 11:59 PM
To: Peter Hsiang
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] IKE_AUTH with IDi and IDr

Hi Peter,

> Looking at RFC 4306 for the packet format, there is no mentioning of APN.

IKEv2 does not know the term APN, only 3GPP does. So this is not specified in the IKEv2 standard that is implemented by strongSwan, but only on that upper level 3GPP standard that uses IKEv2. It is probably no problem to follow your 3GPP spec when configuring strongSwan, though.

> Looking at the Strongswan source, I did not find any implementation of 
> sending the APN in the IDr ?

strongSwan sends the IDr request in the first IKE_AUTH message as initiator if it is set by the configuration. For an ipsec.conf based configuration, basically all you need is to set rightid to a non-wildcard value. In most of our test scenarios IDr is sent, have a look at the daemon.log in [1] as an example. But it is omitted if rightid is %any or has a wildcard, as seen in [2].

> The comment in method build_i suggests that IDr is optional?

Yes, it is. If the initiator knows the responder identity, it enforces it using the IDr payload. To avoid that, you also can use the % rightid prefix, refer to the ipsec.conf manpage for details.



This email message is for the sole use of the intended recipient(s) and may contain
confidential information.  Any unauthorized review, use, disclosure or distribution
is prohibited.  If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.

More information about the Dev mailing list