[strongSwan] IKE_AUTH ID value in case of EAP-TLS authentication

Marwane L marwane.lechguer at gmail.com
Mon Jun 27 15:06:47 CEST 2016 

Hi,

I'm trying to set up an ipsec connection with an ePDG. The authentication
is based on eap-tls method between strongswan client and AAA server :
client ---->ePDG------>AAA

My problem is the "ID" field value sent from strongswan client to ePDG in
the first IKE_AUTH message, in case of eap-tls authentication. The "ID"
filed has the following type : "IKEV2_ID_TYPE_DER_ASN1_DN" and its value is
an hex encoded sequence :  "3073310B3009060......"
After receiving the IKE_AUTH message, the ePDG sends a Diameter EAP Request
to AAA. In this message, the "User-Name" AVP is  badly encoded as following
: 0s1.0...U....<my_country_code>1.0...U...
<my_state>1.0...U....<Locality>1.0...U.
..<my_organization>1.0
..U....<my_organization_unit>1.0...U....<my_client_common_name>

However I can distinguish the information (country, state...) i used to
generate my client auto signed certificate. Due to this malformed AVP the
authentication fails.

I don't think the ePDG is badly converting the IKE_AUTH ID hex sequence to
User-Name AVP. When i convert to string the IKE_AUTH ID hex sequence sent
by strongswan client, i get the same malformed string displayed by the ePDG
debug in User-Name AVP value sent to AAA, like the example above.

In case of a simple eap-mschapv2 authentication, the IKE_AUTH "ID" field
type is : "IKEV2_ID_TYPE_RFC822_ADDR" and its value is the same as the
"left id" i configured in the "ipsec.conf" file, which means
<user_name>@<realm>. Here, the "User-Name" Diameter AVP value is equal to
the "left id" and IKE_AUTH ID. Authentication is successful because AAA can
recognize the user by matching on <user_name>.

Even if eap-tls is based on certificates to do mutual authentication, i
need to use the following user name format "<user_name>@<realm>" to
correctly find my user in users file before authenticating him.

Is it possible with strongswan to use the "left id" value in the IKE_AUTH
ID even if the used authentication method is eap-tls ?

If not, i can change the way i locate my user in the user file by modifying
my policy flow. But in this case, IKE_AUTH ID has to be correctly encoded
so as the ePDG can affect correctly it's value to Diameter "User-Name" AVP.
I can then match on the certificate "Common Name" field for example.

May the size of the certificate or the type (auto signed) affect the
successful encoding of the IKE_AUTH ID ?

Any ideas or solutions to check or investigate ?

Thanks a lot,

Marwane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160627/02ade534/attachment.html>

More information about the Users mailing list