[strongSwan] Problem handling IDr type KEY_ID in IKE_AUTH_1

Alan Evans alanrevans at gmail.com
Mon May 9 23:15:24 CEST 2016

Hello all,

I wonder if anyone out there can point me in the right direction.
I'm looking to use strongSwan as an ePDG in an IMS network.

The IMS client (Android) is sending:

  IKE_AUTH request 1 [ IDi IDr CP(ADDR6 DNS6 (16390)) SA TSi TSr 

The IDr attribute in the IKE_AUTH is:
*ID Type: KEY_ID (0x0b)*
     Protocol ID: unused (0x00)
     Port: unused (0x00)
     Identification Data: (0x69, 0x6d, 0x73 = 'ims')

strongSwan responds:

charon: 02[CFG] looking for peer configs matching[ims]...X.X.X.X[0<IMSI>@nai.epc.mncXXX.mccXXX.3gppnetwork.org]
charon: 02[CFG] peer config match local: 0 (ID_KEY_ID -> 69:6d:73)
charon: 02[CFG] peer config match remote: 19 (ID_RFC822_ADDR -> xxxxxxx)
charon: 02[CFG] ike config match: 2 ( X.X.X.X)
charon: 02[CFG] no matching peer config found
charon: 02[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

I think this is because of the ID Type.

I've configured leftid=@#69:6d:73

But when I restart strongSwan I see this in the logs:

May  9 20:49:54 ip-10-0-0-75 charon: 12[CFG]   id 'ims' not confirmed by 
certificate, defaulting to 'CN=ims, N=ims'

The certificate has a subjectAltName= DNS:ims and a CN=ims/name=ims.

Does anyone know if its possible to  get strongSwan to match the IDr 
when the type is KEY_ID?

Thanks in advance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160509/9c14634b/attachment.html>

More information about the Users mailing list