ignore mismatch in received identity.

This is needed, because the standard mandates that the remote entity must be configured as ims (mimicking the APN setting I think), but on the other hand the ePDG will identify itself with its FQDN in the end. I tested this and this is currently the only way to do it with strongswan I think, because you cannot configure different identities.
2021-08-26 19:47:15 +02:00 · 2021-08-26 19:47:15 +02:00 · 65f576bd9c
parent 18b4a240dd
commit 65f576bd9c
2 changed files with 6 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# strongSwan Configuration #
+## Patched version, containing patch to disable parsing of AUTH payload in IKEv2 Phase2, because we only want EAP-AKA ##

 ## Overview ##

--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@ -944,6 +944,7 @@ METHOD(auth_cfg_t, complies, bool,

 				id1 = (identification_t*)value;
 				id2 = get(this, t1);
+/*
 				if (!id2 || !id2->matches(id2, id1))
 				{
 					if (t1 == AUTH_RULE_IDENTITY &&
@ -965,6 +966,10 @@ METHOD(auth_cfg_t, complies, bool,
 							 "EAP ", id1);
 					}
 				}
+*/
+				DBG1(DBG_CFG, "constraint check failed, but we are ignoring it for now: %sidentity '%Y'"
+					 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
+					 "EAP ", id1);
 				break;
 			}
 			case AUTH_RULE_AUTH_CLASS: