14 Feb
2025
14 Feb
'25
5:16 a.m.
Hi Lynxis,
Thank you for your response.
I have a question regarding the strongSwan configuration. Could you please share the
ipsec.conf or swanctl.conf that you used when testing with real phones? I’d like to see
what authentication method was used in your test case. Based on my understanding, it could
be either PSK (Pre-Shared Key) or certificate-based.
Additionally, since mobile devices typically send a CERTREQ by default, I’m curious how
you managed to validate it at the ePDG end. Also, could you explain how tunnel
authentication was handled/configured in your setup? Any further details would be
appreciated.
Best regards.
Subhajit
Hi Subhajit,
1. In most of deployment tunnel authentication is
bypassed. So, even if UE send CERTREQ, it is getting ignored at ePDG. ePDG also
doesn't send anything to UE.
Do you have any idea of how to implement that in strongswan or have you explored that
earlier? I saw that in 3gpp 33.402 and RFC 5996, certificate things are optional.
I didn't looked into it. I tested the ePDG with some Android phones (I also tested it
once with an iphone, while osmo-epdg was still developing).
Ususally a ePDG is reachable via a 3gppnetwork.org domain, but I didn't had access to
one, so I never tested it with the certificate.
There is tunnel authentication, but not via a certificate, because the EAP-AKA allows to
validate both ends and provides authenticity.
However, I know that strongswan authentication is
tightly coupled, so just trying understand if you have already bypass it by doing any
changes in strongswan or atleast know how it should be done.
2. There are many error and status codes written in ePDG standard 24.302 clause 8. Have
you mapped all EPC core error to corresponding IKEv2 error or status codes?
No, this is still a TODO. The osmo-ePDG doesn't generate the Notify messages
containing such errors.
Best,
lynxis
Thanks & Regards
Subhajit Chatterjee
Staff No : 5221
C-DOT
Mehrauli,New Delhi