[strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?

Tobias Brunner tobias at strongswan.org
Tue Feb 27 11:44:57 CET 2018

Hi Trevor,

> Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100%
> trustworthy in an ikev2 / eap-tls / user certs connection scenario?
> What I mean by that, is can it be selected, set, or spoofed by the
> client?

Yes, it's trustworthy.  While the client can send an arbitrary value, it
has to match an identity in the certificate (either the subject DN or a

> What I'm worried about, is that PLUTO_XAUTH_ID is trivially
> user-definable and not verified through the cert chain; for instance
> being pulled out of the debug log line below:
> Feb 27 01:12:35 pog charon: 10[IKE] received EAP identity 'trevor at foo.com'
> As that line appears before the cert lines I list above, I'm worried
> that it's not verified against the certs.

Yes, the EAP-Identity exchange precedes the EAP-TLS exchange, however,
the identity is carried over and is verified against the certificate.

> So I then tried user certs to select on EAP identity in the user cert.
> Set that up then finally found a couple of emails/sites that said
> strongswan can't switch conns based on identitiy.

That's not entirely true.  If you delegate the authentication to a
RADIUS server it can send back class attributes that strongSwan can use
to select configs (via rightgroups=<class>).  That makes it easy to use
different configs for multiple groups of users.

But even without RADIUS you can match configs against EAP identities.
It requires a dummy config that requests the EAP identities from the
clients, though.  Let's say you have two clients, one is trevor at foo.com
and one is carol at foo.com, then you may configure the following:

  conn eap-tls-shared
     # options shared by all clients e.g.
     # or

  conn eap-tls-init
     # this config is used to do the EAP-Identity exchange and the
     # authentication of client and server
     # the following is used to force a connection switch after
     # the authentication completed
     rightgroups=<any string that is not used as group/class>

  conn eap-tls-trevor
     eap_identity=trevor at foo.com
     # any options that only apply to trevor follow here

  conn epa-tls-carol
     eap_identity=carol at foo.com
     # any options that only apply to carol follow here

If carol connects now you'd see something like this in the log:

> [IKE] authentication of '..., CN=carol at foo.com' with EAP successful
> [CFG] constraint check failed: group membership to '<value of rightgroups in eap-tls-base>' required
> [CFG] selected peer config 'eap-tls-base' inacceptable: non-matching authentication done
> [CFG] switching to peer config 'eap-tls-trevor'
> [CFG] constraint check failed: EAP identity 'trevor at foo.com' required
> [CFG] selected peer config 'eap-tls-trevor' inacceptable: non-matching authentication done
> [CFG] switching to peer config 'eap-tls-carol'
> ...
> IKE_SA eap-tls-carol[1] established between ...


More information about the Users mailing list