ltm rule event IKE AUTH

iRule(1)						BIG-IP TMSH Manual						  iRule(1)

IKE_AUTH
       Triggered during IPsec IKE_AUTH for IKEv2 ike-peers that need TCL-based auth for certificates.

DESCRIPTION
       An iRule event is triggered during IPsec negotiation for an IKEv2 ike-peer, during the IKE_AUTH exchange -- but only if the
       basic certificate auth succeeds, and if that ike-peer is also configured to need further auth via rules (perhaps based on
       values in the cert like subjectAltName).

       This event allows the addition of one more step, before certificate auth succeeds, after basic cert auth performed by
       IPsec. Expected usage is to 1) fetch the cert involved via command IKE::cert, 2) extract the cert's SAN (aka
       subjectAltName) via X509 commands, and then 3) decide whether auth is permitted based on some deviceID inside the SAN,
       perhaps by outsourcing this decision to another server via another iRule command.

       If the decision is "cert auth failure", the rule should use command IKE::abort in order to cause IPsec negotiation to fail,
       for this peer and this certificate.  In the absence of IKE::abort, before the rule ends, further IPsec negotiation will
       succeed by default and the cert will be accepted.  In effect, the entire purpose of the IKE_AUTH event is to make it
       possible to further validate a certificate returned by command IKE::cert, to permit IKE::abort to cause failure if rejected
       after analysis.

Examples
	when IKE_AUTH {
	    set ike_cert [IKE::cert 0]
	    set san_temp [findstr [X509::extensions $ike_cert] "Subject Alternative Name" 32 ","]
	    set san_email [findstr $san_temp "email" 6]
	    if ($san_email ne "fred") { IKE::abort }
	}

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-15.0.0 --First introduced the event.

BIG-IP							    2022-04-12							  iRule(1)