Hi Lynxis,

Thank you for your response.

I have a question regarding the strongSwan configuration. Could you please share the ipsec.conf or swanctl.conf that you used when testing with real phones? I’d like to see what authentication method was used in your test case. Based on my understanding, it could be either PSK (Pre-Shared Key) or certificate-based.

Additionally, since mobile devices typically send a CERTREQ by default, I’m curious how you managed to validate it at the ePDG end. Also, could you explain how tunnel authentication was handled/configured in your setup? Any further details would be appreciated.

Best regards.

Subhajit

Hi Subhajit,

1. In most of deployment tunnel authentication is bypassed. So, even if UE send CERTREQ, it is getting ignored at ePDG. ePDG also doesn't send anything to UE.

Do you have any idea of how to implement that in strongswan or have you explored that earlier? I saw that in 3gpp 33.402 and RFC 5996, certificate things are optional.

I didn't looked into it. I tested the ePDG with some Android phones (I also tested it once with an iphone, while osmo-epdg was still developing). Ususally a ePDG is reachable via a 3gppnetwork.org domain, but I didn't had access to one, so I never tested it with the certificate.

There is tunnel authentication, but not via a certificate, because the EAP-AKA allows to validate both ends and provides authenticity.

However, I know that strongswan authentication is tightly coupled, so just trying understand if you have already bypass it by doing any changes in strongswan or atleast know how it should be done.

2. There are many error and status codes written in ePDG standard 24.302 clause 8. Have you mapped all EPC core error to corresponding IKEv2 error or status codes?

No, this is still a TODO. The osmo-ePDG doesn't generate the Notify messages containing such errors.

Best, lynxis

Thanks & Regards

Subhajit Chatterjee Staff No : 5221 C-DOT Mehrauli,New Delhi

Hi,

I have understood that you used EAP-AKA for UE authentication. I amnot able to find EAP-AKA as mutual authenticator in ePDG standard. Can you please refer the clause where you get this point to use EAP-AKA as mutual authenticator between UE and ePDG.

Alsoin the template swanctl.conf you have use EAP-AKA in both local and remote side. Whereas for epdg you have written a new auth method EAP-EPDG, right?

That means when UE sends packet ePDG will invoke its EPDG code inside strongswan and then extractUE's EAP identity and sends to AAA for authentication.

Here UE is getting authenticated not the ePDG.

Is my understanding correct?

Thanks

Subhajit

On Mon, 17 Feb 2025 14:21:35 +0100, Alexander 'lynxis' Couzens wrote

Hi Subhajit,

I have a question regarding the strongSwan configuration. Could you please share the ipsec.conf or swanctl.conf that you used when testing with real phones? I’d like to see what authentication method was used in your test case. Based on my understanding, it could be either PSK (Pre-Shared Key) or certificate-based.

Additionally, since mobile devices typically send a CERTREQ by default, I’m curious how you managed to validate it at the ePDG end. Also, could you explain how tunnel authentication was handled/configured in your setup? Any further details would be appreciated.

no it's based on EAP-AKA or EAP-AKA' which allows mutual authentication. Yes, the certificate would also improve the situation, but it's optional.

You can find a description of my setup here: https://projects.osmocom.org/projects/osmo-epdg/wiki/Hosted_epdg_playground Further to read: https://projects.osmocom.org/projects/osmo-epdg/wiki/EPDG_implementation_pla...

I used the following setup for testing:

https://gitea.osmocom.org/ims-volte-vowifi/ansible-prototype/src/branch/mast...

Best, lynxis

Thanks & Regards

Subhajit Chatterjee Staff No : 5221 C-DOT Mehrauli,New Delhi