From 066fa42fcbe20d5d0803985e56b5643b7be6fa9e Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 7 Apr 2020 18:49:00 +0200 Subject: [PATCH] ike-auth: Add option to use EAP-only authentication without notify Some peers apparently don't send the notify and still expect to authenticate with EAP-only authentication. This option allows forcing the configured use of EAP-only authentication in that scenario. --- conf/options/charon.opt | 4 ++++ src/libcharon/sa/ikev2/tasks/ike_auth.c | 16 +++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/conf/options/charon.opt b/conf/options/charon.opt index d9d98ef9c..fd2d36a0b 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -120,6 +120,10 @@ charon.flush_auth_cfg = no charon.follow_redirects = yes Whether to follow IKEv2 redirects (RFC 5685). +charon.force_eap_only_authentication = no + Violate RFC 5998 and use EAP-only authentication even if the peer did not + send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH. + charon.fragment_size = 1280 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 6448d8baa..54f51d1eb 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -1009,9 +1009,19 @@ METHOD(task_t, build_r, status_t, if (!this->ike_sa->supports_extension(this->ike_sa, EXT_EAP_ONLY_AUTHENTICATION)) { - DBG1(DBG_IKE, "configured EAP-only authentication, but peer " - "does not support it"); - goto peer_auth_failed; + if (lib->settings->get_bool(lib->settings, + "%s.force_eap_only_authentication", FALSE, lib->ns)) + { + DBG1(DBG_IKE, "ignore missing %N notify and use EAP-only " + "authentication", notify_type_names, + EAP_ONLY_AUTHENTICATION); + } + else + { + DBG1(DBG_IKE, "configured EAP-only authentication, but " + "peer does not support it"); + goto peer_auth_failed; + } } } else