From wk2 at rogers.com Tue Mar 9 22:46:17 2021 From: wk2 at rogers.com (W) Date: Tue, 9 Mar 2021 16:46:17 -0500 Subject: [strongSwan-dev] External handling for PPK and PPK_ID References: <868ba4c8-01a2-ec29-c2d5-14786adf9e79.ref@rogers.com> Message-ID: <868ba4c8-01a2-ec29-c2d5-14786adf9e79@rogers.com> Hi, Is it possible to externalize PPK and PPK_ID handling via a custom plugin? The scenario here is for Site-to-Site gateways. I'd like to be able (through a plugin or otherwise) to retrieve a random PPK_ID and PKK from an external service for the initiator, and the responder would look up the PPK_ID on it's end to retrieve the associated PPK (again via an external keying service). In accordance with RFC 8784, the responder would look up the PPK from the sent PPK_ID, and if the keys are mismatched, the connection fails (this works now in Strongswan). I understand that NULL authentication (RFC 7619) is not implemented in Strongswan, but that's not an issue in this case. I've looked into how to build plugins, so any pointers are appreciated. Thanks in advance.