Hi,
I have understood that you used EAP-AKA for UE authentication. I am
not able to find EAP-AKA as mutual authenticator in ePDG standard. Can
you please refer the clause where you get this point to use EAP-AKA as
mutual authenticator between UE and ePDG.
Also
in the template swanctl.conf you have use EAP-AKA in both local and
remote side. Whereas for epdg you have written a new auth method
EAP-EPDG, right?
That means when UE sends
packet ePDG will invoke its EPDG code inside strongswan and then extract
UE's EAP identity and sends to AAA for authentication.
Here UE is getting authenticated not the ePDG.
Is my understanding correct?
Thanks
Subhajit
On Mon, 17 Feb 2025 14:21:35 +0100, Alexander 'lynxis'
Couzens
wrote
Hi Subhajit,
> I have a question regarding the strongSwan configuration. Could you please
share the ipsec.conf or swanctl.conf that you used when testing with real
phones? I’d like to see what authentication method was used in your test case.
Based on my understanding, it could be either PSK (Pre-Shared Key) or
certificate-based.
> Additionally, since mobile devices typically send a CERTREQ by default,
I’m curious how you managed to validate it at the ePDG end. Also, could you
explain how tunnel authentication was handled/configured in your setup? Any
further details would be appreciated.
no it's based on EAP-AKA or EAP-AKA' which allows mutual authentication. Yes,
the certificate would also improve the situation, but it's optional.
You can find a description of my setup here: https://projects.osmocom.org/projects/osmo-epdg/wiki/Hosted_epdg_playground
Further to read: https://projects.osmocom.org/projects/osmo-epdg/wiki/EPDG_implementation_plan
I used the following setup for testing:
https://gitea.osmocom.org/ims-volte-vowifi/ansible-prototype/src/branch/master/roles/epdg/templates/swanctl/swanctl.conf
Best,
lynxis
Thanks & Regards
Subhajit Chatterjee
Staff No : 5221
C-DOT
Mehrauli,New
Delhi