[strongSwan] Problem handling IDr type KEY_ID in IKE_AUTH_1
Alan Evans
alanrevans at gmail.com
Mon May 9 23:15:24 CEST 2016
Hello all,
I wonder if anyone out there can point me in the right direction.
I'm looking to use strongSwan as an ePDG in an IMS network.
The IMS client (Android) is sending:
IKE_AUTH request 1 [ IDi IDr CP(ADDR6 DNS6 (16390)) SA TSi TSr
N(HTTP_CERT_LOOK) N(EAP_ONLY) N(INIT_CONTACT) N(NON_FIRST_FRAG) ]
The IDr attribute in the IKE_AUTH is:
*ID Type: KEY_ID (0x0b)*
Protocol ID: unused (0x00)
Port: unused (0x00)
Identification Data: (0x69, 0x6d, 0x73 = 'ims')
strongSwan responds:
charon: 02[CFG] looking for peer configs matching
10.0.2.60[ims]...X.X.X.X[0<IMSI>@nai.epc.mncXXX.mccXXX.3gppnetwork.org]
charon: 02[CFG] peer config match local: 0 (ID_KEY_ID -> 69:6d:73)
charon: 02[CFG] peer config match remote: 19 (ID_RFC822_ADDR -> xxxxxxx)
charon: 02[CFG] ike config match: 2 (10.0.2.60 X.X.X.X)
charon: 02[CFG] no matching peer config found
charon: 02[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
I think this is because of the ID Type.
I've configured leftid=@#69:6d:73
But when I restart strongSwan I see this in the logs:
May 9 20:49:54 ip-10-0-0-75 charon: 12[CFG] id 'ims' not confirmed by
certificate, defaulting to 'CN=ims, N=ims'
The certificate has a subjectAltName= DNS:ims and a CN=ims/name=ims.
Does anyone know if its possible to get strongSwan to match the IDr
when the type is KEY_ID?
Thanks in advance
Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160509/9c14634b/attachment.html>
More information about the Users
mailing list