[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Using config mode together with extended authentication



Agreed on adding the example to the ikev2 document.

The case of CP + EAP, as Darren described it below, is also covered in our
draft
 <http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt>

with respect to how to handle do EAP and CP where an off-gateway RADIUS
server acts as the authentication server and provides the CP parameters that
the gateway will send to the IRAC.

Gregory.


> -----Original Message-----
> From: Geoffrey Huang [mailto:ghuang@cisco.com]
> Sent: Thursday, March 13, 2003 1:27 PM
> To: ddukes@cisco.com; ipsec@lists.tislabs.com
> Cc: 'Charlie Kaufman'
> Subject: RE: Using config mode together with extended authentication
> 
> 
> OK - that's what I thought, that CP brackets the EAP exchange.  I just
> wanted to be sure.  It'd be good to add the example below to the
> document.
> 
> -g
> 
> > -----Original Message-----
> > From: Darren Dukes [mailto:ddukes@cisco.com] 
> > Sent: Thursday, March 13, 2003 1:20 PM
> > To: Geoffrey Huang; ipsec@lists.tislabs.com
> > Cc: Charlie Kaufman
> > Subject: RE: Using config mode together with extended authentication
> > 
> > 
> > In the scenario you mention the CP is sent before SAi2 and 
> > SAr2.  So the
> > initiator sends CP(CFG_REQUEST) in the first IKE_AUTH 
> exchange and the
> > responder sends CP(CFG_REPLY) in the last IKE_AUTH exchange.  
> > Using the EAP
> > example from the IKEv2-05 draft and inserting CP it would 
> > look like this...
> > 
> > Initiator                          Responder
> > -----------                        -----------
> > HDR, SAi1, KEi, Ni         -->
> >                            <--    HDR, SAr1, KEr, Nr, [CERTREQ]
> > HDR, SK {IDi, [CERTREQ,] [IDr,]
> >          [CP], SAi2, TSi, TSr}   -->
> >                            <--    HDR, SK {IDr, [CERT,] AUTH,
> >                                            EAP }
> > HDR, SK {EAP, [AUTH] }     -->
> >                            <--    HDR, SK {EAP, [AUTH],
> >                                            [CP], SAr2, TSi, TSr }
> > 
> > 
> > Charlie, could you add the CP payloads to the example for EAP 
> > so this is
> > clearer?
> > 
> > Darren
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: owner-ipsec@lists.tislabs.com
> > > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Geoffrey Huang
> > > Sent: Thursday, March 13, 2003 3:08 PM
> > > To: ipsec@lists.tislabs.com
> > > Subject: Using config mode together with extended authentication
> > >
> > >
> > > I've looked over the sections regarding EAP/XAuth and 
> Config mode in
> > > IKEv2-05, and there are packet descriptions in each section 
> > describing
> > > what IKE looks like if either one is used.  But what 
> > happens if you do
> > > the cfg request and EAP?  Based on the EAP description, the 
> > responder
> > > sends an EAP request in the 4th message, starting off an 
> > EAP exchange.
> > >
> > > But the Cfg Request description says that the initiator sends a CP
> > > payload before the SAi2 payload.  Does this mean that if we 
> > do both CP
> > > and EAP it looks like:
> > >
> > > INIT             RESPO
> > > msg1   ---->
> > >        <----     msg2
> > > msg3+CP ---->
> > >        <----     msg4+EAP
> > > EAP    ---->
> > >        <----     CP reply, etc.
> > >
> > > Maybe it's described in the document, and I just missed it.
> > >
> > > -g
> > >
> > 
> > 
>