aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/plugins/stroke/stroke_config.c5
-rw-r--r--src/libcharon/plugins/stroke/stroke_socket.c2
-rw-r--r--src/starter/args.c1
-rw-r--r--src/starter/confread.h1
-rw-r--r--src/starter/ipsec.conf.5.in5
-rw-r--r--src/starter/keywords.h1
-rw-r--r--src/starter/keywords.txt1
-rw-r--r--src/starter/starterstroke.c1
-rw-r--r--src/stroke/stroke_msg.h1
9 files changed, 18 insertions, 0 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 617069432..b35bbbfe1 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -502,6 +502,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
}
cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
}
+ if (msg->add_conn.aaa_identity)
+ {
+ cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
+ identification_create_from_string(msg->add_conn.aaa_identity));
+ }
}
else
{
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 974dbd5d8..06a636a7d 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -180,11 +180,13 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
pop_end(msg, "left", &msg->add_conn.me);
pop_end(msg, "right", &msg->add_conn.other);
pop_string(msg, &msg->add_conn.eap_identity);
+ pop_string(msg, &msg->add_conn.aaa_identity);
pop_string(msg, &msg->add_conn.algorithms.ike);
pop_string(msg, &msg->add_conn.algorithms.esp);
pop_string(msg, &msg->add_conn.ikeme.mediated_by);
pop_string(msg, &msg->add_conn.ikeme.peerid);
DBG2(DBG_CFG, " eap_identity=%s", msg->add_conn.eap_identity);
+ DBG2(DBG_CFG, " aaa_identity=%s", msg->add_conn.aaa_identity);
DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
DBG2(DBG_CFG, " mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
diff --git a/src/starter/args.c b/src/starter/args.c
index ab6b60509..37d600283 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -208,6 +208,7 @@ static const token_info_t token_info[] =
{ ARG_MISC, 0, NULL /* KW_AUTHBY */ },
{ ARG_MISC, 0, NULL /* KW_EAP */ },
{ ARG_STR, offsetof(starter_conn_t, eap_identity), NULL },
+ { ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL },
{ ARG_MISC, 0, NULL /* KW_MOBIKE */ },
{ ARG_MISC, 0, NULL /* KW_FORCEENCAPS */ },
{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL },
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 5e4356ea3..3bbff6466 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -117,6 +117,7 @@ struct starter_conn {
u_int32_t eap_type;
u_int32_t eap_vendor;
char *eap_identity;
+ char *aaa_identity;
char *xauth_identity;
lset_t policy;
time_t sa_ike_life_seconds;
diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in
index 0f87f6b21..de19cec29 100644
--- a/src/starter/ipsec.conf.5.in
+++ b/src/starter/ipsec.conf.5.in
@@ -228,6 +228,11 @@ Unless otherwise noted, for a connection to work,
in general it is necessary for the two ends to agree exactly
on the values of these parameters.
.TP 14
+.B aaa_identity
+defines the identity of the AAA backend used during IKEv2 EAP authentication.
+This is required if the EAP client uses a method that verifies the server
+identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
+.TP
.B ah
AH authentication algorithm to be used
for the connection, e.g.
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 25d2ce4b9..0c78b8c4b 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -71,6 +71,7 @@ typedef enum {
KW_AUTHBY,
KW_EAP,
KW_EAP_IDENTITY,
+ KW_AAA_IDENTITY,
KW_MOBIKE,
KW_FORCEENCAPS,
KW_IKELIFETIME,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index fcdc60cff..06705635a 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -49,6 +49,7 @@ force_keepalive, KW_FORCE_KEEPALIVE
virtual_private, KW_VIRTUAL_PRIVATE
eap, KW_EAP
eap_identity, KW_EAP_IDENTITY
+aaa_identity, KW_AAA_IDENTITY
mobike, KW_MOBIKE
forceencaps, KW_FORCEENCAPS
pkcs11module, KW_PKCS11MODULE
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9c69ab9e5..32b373b2d 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -223,6 +223,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.eap_type = conn->eap_type;
msg.add_conn.eap_vendor = conn->eap_vendor;
msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
+ msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
if (conn->policy & POLICY_TUNNEL)
{
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 9e2300d05..9466cf0b0 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -232,6 +232,7 @@ struct stroke_msg_t {
u_int32_t eap_type;
u_int32_t eap_vendor;
char *eap_identity;
+ char *aaa_identity;
int mode;
int mobike;
int force_encap;
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-15 10:39:16 +0000