IKE_AUTH¶
Description¶
An iRule event is triggered during IPsec negotiation for an IKEv2 ike-peer,
during the IKE_AUTH exchange – but only if the basic certificate auth
succeeds, and if that ike-peer is also configured to need further auth via
rules (perhaps based on values in the cert like subjectAltName).
This event allows the addition of one more step, before certificate auth
succeeds, after basic cert auth performed by IPsec. Expected usage is to
1) fetch the cert involved via command IKE::cert, 2) extract the cert’s SAN
(aka subjectAltName) via X509 commands, and then 3) decide whether auth is
permitted based on some deviceID inside the SAN, perhaps by outsourcing this
decision to another server via another iRule command.
If the decision is “cert auth failure”, the rule should use command IKE::abort
in order to cause IPsec negotiation to fail, for this peer and this certificate.
In the absence of IKE::abort, before the rule ends, further IPsec negotiation
will succeed by default and the cert will be accepted. In effect, the entire
purpose of the IKE_AUTH event is to make it possible to further validate a
certificate returned by command IKE::cert, to permit IKE::abort to cause failure
if rejected after analysis.
Examples¶
when IKE_AUTH {
set ike_cert [IKE::cert 0]
set san_temp [findstr [X509::extensions $ike_cert] "Subject Alternative Name" 32 ","]
set san_email [findstr $san_temp "email" 6]
if ($san_email ne "fred") { IKE::abort }
}