[strongSwan] Problem configuring IDr and trusting RSA public key

carlos.yuste at mantica-solutions.com carlos.yuste at mantica-solutions.com
Fri Nov 20 13:04:02 CET 2015 

Hello,

I am trying to establish an ipsec tunnel using IKEv2 EAP-AKA. The server 
(an ePDG) uses a certificate to authenticate itself. The aim is to 
establish an ipsec tunnel according to TS 33.402 R11 section 8.2.2

The problem is that the IDr that I receive from the ePDG is different 
from the IDr that I want to send in the IKE_AUTH request. What I want is 
to send IDr=ims AND accept the certificate that comes from 
ePDG1_1.domain. Is this possible?


First I tried with this configuration in ipsec.conf file:

conn mantica
     left=192.168.1.25
     leftid=111220000000300 at nai.epc.mnc022.mcc111.3gppnetwork.org
     eap_identity=111220000000300 at nai.epc.mnc022.mcc111.3gppnetwork.org
     leftauth=eap
     leftsourceip=%config4,%config6
     right=10.20.30.40
     rightid=ims
     rightsigkey=clientPubKey.pem
     auto=add
     type=tunnel

When I try to open the connection, my client sends in the IDr field 
‘ims’ (correct) but then then the IKE_AUTH response that I receive fails 
because it does not find a RSA key for ims

[…]
Nov 20 12:32:22 openims charon: 05[CFG]   loaded RSA public key for 
"ims" from 'clientPubKey.pem'
Nov 20 12:32:22 openims charon: 05[CFG] added configuration 'mantica'

[…]
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/AKA ]
received end entity cert "O=OpenCA Labs, OU=Applications, CN=epdg 
domain"
received issuer cert "O=OpenCA Labs, OU=Applications, CN=ca2 epdg"
received issuer cert "O=OpenCA Labs, OU=Applications, CN=ca1 epdg"
no trusted RSA public key found for 'ePDG1_1.domain'

If I use

conn mantica
     left=192.168.1.25
     leftid=111220000000300 at nai.epc.mnc022.mcc111.3gppnetwork.org
     eap_identity=111220000000300 at nai.epc.mnc022.mcc111.3gppnetwork.org
     leftauth=eap
     leftsourceip=%config4,%config6
     right=10.20.30.40
     rightid=ePDG1_1.domain
     rightsigkey=clientPubKey.pem
     auto=add
     type=tunnel

I restart ipsec and see the following:

Nov 20 12:32:22 openims charon: 05[CFG]   loaded RSA public key for 
"ePDG1_1.domain" from 'clientPubKey.pem'
Nov 20 12:32:22 openims charon: 05[CFG] added configuration 'mantica'

When I start ipsec I see that Strongswan does trust the certificate, but 
it sends in the IDr ‘ePDG_1.domain’ and that causes a failure in another 
step.

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR ADDR6 
DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.1.25[4500] to 10.20.30.40 [4500] (476 
bytes)
received packet: from 10.20.30.40 [4500] to 192.168.1.25[4500] (4300 
bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/AKA ]
received end entity cert "O=OpenCA Labs, OU=Applications, CN=epdg 
domain"
received issuer cert "O=OpenCA Labs, OU=Applications, CN=ca2 epdg"
received issuer cert "O=OpenCA Labs, OU=Applications, CN=ca1 epdg"
   using trusted certificate "ePDG1_1.domain"
authentication of 'ePDG1_1.domain' with RSA signature successful
server requested EAP_AKA authentication (id 0x01)


I have also tried using
    rightid=%ePDG1_1.domain
but then strongswan does not send any IDr at all (though it accepts the 
certificate) and that it is not valid for the ePDG either.

It would be also OK to me to just skip the server authentication and 
accept whatever certificate it sends. Can this be done?

Thank you very much,
Carlos

More information about the Users mailing list