IKE_AUTH

Description¶

An iRule event is triggered during IPsec negotiation for an IKEv2 ike-peer, during the IKE_AUTH exchange – but only if the basic certificate auth succeeds, and if that ike-peer is also configured to need further auth via rules (perhaps based on values in the cert like subjectAltName).

This event allows the addition of one more step, before certificate auth succeeds, after basic cert auth performed by IPsec. Expected usage is to 1) fetch the cert involved via command IKE::cert, 2) extract the cert’s SAN (aka subjectAltName) via X509 commands, and then 3) decide whether auth is permitted based on some deviceID inside the SAN, perhaps by outsourcing this decision to another server via another iRule command.

If the decision is “cert auth failure”, the rule should use command IKE::abort in order to cause IPsec negotiation to fail, for this peer and this certificate. In the absence of IKE::abort, before the rule ends, further IPsec negotiation will succeed by default and the cert will be accepted. In effect, the entire purpose of the IKE_AUTH event is to make it possible to further validate a certificate returned by command IKE::cert, to permit IKE::abort to cause failure if rejected after analysis.

Examples¶

when IKE_AUTH {
    set ike_cert [IKE::cert 0]
    set san_temp [findstr [X509::extensions $ike_cert] "Subject Alternative Name" 32 ","]
    set san_email [findstr $san_temp "email" 6]
    if ($san_email ne "fred") { IKE::abort }
}

Related Information¶

Introduced: BIGIP-15.0.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.

IKE_AUTH¶

Description¶

Examples¶

Related Information¶