From 65f576bd9cedef509bdc9471451bffed575417b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomcs=C3=A1nyi=2C=20Domonkos?= <domi@tomcsanyi.net>
Date: Thu, 26 Aug 2021 19:47:15 +0200
Subject: [PATCH] ignore mismatch in received identity.

This is needed, because the standard mandates that the remote entity
must be configured as ims (mimicking the APN setting I think), but on
the other hand the ePDG will identify itself with its FQDN in the end. I
tested this and this is currently the only way to do it with strongswan
I think, because you cannot configure different identities.
---
 README.md                                | 2 +-
 src/libstrongswan/credentials/auth_cfg.c | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 151655fe6..4fb1ebe99 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# strongSwan Configuration #
+## Patched version, containing patch to disable parsing of AUTH payload in IKEv2 Phase2, because we only want EAP-AKA ##
 
 ## Overview ##
 
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index e278bba39..90dc9aa74 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -944,6 +944,7 @@ METHOD(auth_cfg_t, complies, bool,
 
 				id1 = (identification_t*)value;
 				id2 = get(this, t1);
+/*
 				if (!id2 || !id2->matches(id2, id1))
 				{
 					if (t1 == AUTH_RULE_IDENTITY &&
@@ -965,6 +966,10 @@ METHOD(auth_cfg_t, complies, bool,
 							 "EAP ", id1);
 					}
 				}
+*/
+				DBG1(DBG_CFG, "constraint check failed, but we are ignoring it for now: %sidentity '%Y'"
+					 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
+					 "EAP ", id1);
 				break;
 			}
 			case AUTH_RULE_AUTH_CLASS: