[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Using config mode together with extended authentication
Agreed on adding the example to the ikev2 document.
The case of CP + EAP, as Darren described it below, is also covered in our
draft
<http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt>
with respect to how to handle do EAP and CP where an off-gateway RADIUS
server acts as the authentication server and provides the CP parameters that
the gateway will send to the IRAC.
Gregory.
> -----Original Message-----
> From: Geoffrey Huang [mailto:ghuang@cisco.com]
> Sent: Thursday, March 13, 2003 1:27 PM
> To: ddukes@cisco.com; ipsec@lists.tislabs.com
> Cc: 'Charlie Kaufman'
> Subject: RE: Using config mode together with extended authentication
>
>
> OK - that's what I thought, that CP brackets the EAP exchange. I just
> wanted to be sure. It'd be good to add the example below to the
> document.
>
> -g
>
> > -----Original Message-----
> > From: Darren Dukes [mailto:ddukes@cisco.com]
> > Sent: Thursday, March 13, 2003 1:20 PM
> > To: Geoffrey Huang; ipsec@lists.tislabs.com
> > Cc: Charlie Kaufman
> > Subject: RE: Using config mode together with extended authentication
> >
> >
> > In the scenario you mention the CP is sent before SAi2 and
> > SAr2. So the
> > initiator sends CP(CFG_REQUEST) in the first IKE_AUTH
> exchange and the
> > responder sends CP(CFG_REPLY) in the last IKE_AUTH exchange.
> > Using the EAP
> > example from the IKEv2-05 draft and inserting CP it would
> > look like this...
> >
> > Initiator Responder
> > ----------- -----------
> > HDR, SAi1, KEi, Ni -->
> > <-- HDR, SAr1, KEr, Nr, [CERTREQ]
> > HDR, SK {IDi, [CERTREQ,] [IDr,]
> > [CP], SAi2, TSi, TSr} -->
> > <-- HDR, SK {IDr, [CERT,] AUTH,
> > EAP }
> > HDR, SK {EAP, [AUTH] } -->
> > <-- HDR, SK {EAP, [AUTH],
> > [CP], SAr2, TSi, TSr }
> >
> >
> > Charlie, could you add the CP payloads to the example for EAP
> > so this is
> > clearer?
> >
> > Darren
> >
> >
> >
> > > -----Original Message-----
> > > From: owner-ipsec@lists.tislabs.com
> > > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Geoffrey Huang
> > > Sent: Thursday, March 13, 2003 3:08 PM
> > > To: ipsec@lists.tislabs.com
> > > Subject: Using config mode together with extended authentication
> > >
> > >
> > > I've looked over the sections regarding EAP/XAuth and
> Config mode in
> > > IKEv2-05, and there are packet descriptions in each section
> > describing
> > > what IKE looks like if either one is used. But what
> > happens if you do
> > > the cfg request and EAP? Based on the EAP description, the
> > responder
> > > sends an EAP request in the 4th message, starting off an
> > EAP exchange.
> > >
> > > But the Cfg Request description says that the initiator sends a CP
> > > payload before the SAi2 payload. Does this mean that if we
> > do both CP
> > > and EAP it looks like:
> > >
> > > INIT RESPO
> > > msg1 ---->
> > > <---- msg2
> > > msg3+CP ---->
> > > <---- msg4+EAP
> > > EAP ---->
> > > <---- CP reply, etc.
> > >
> > > Maybe it's described in the document, and I just missed it.
> > >
> > > -g
> > >
> >
> >
>