ltm rule event IKE AUTH
iRule(1) BIG-IP TMSH Manual iRule(1)
IKE_AUTH
Triggered during IPsec IKE_AUTH for IKEv2 ike-peers that need TCL-based auth for certificates.
DESCRIPTION
An iRule event is triggered during IPsec negotiation for an IKEv2 ike-peer, during the IKE_AUTH exchange -- but only if the
basic certificate auth succeeds, and if that ike-peer is also configured to need further auth via rules (perhaps based on
values in the cert like subjectAltName).
This event allows the addition of one more step, before certificate auth succeeds, after basic cert auth performed by
IPsec. Expected usage is to 1) fetch the cert involved via command IKE::cert, 2) extract the cert's SAN (aka
subjectAltName) via X509 commands, and then 3) decide whether auth is permitted based on some deviceID inside the SAN,
perhaps by outsourcing this decision to another server via another iRule command.
If the decision is "cert auth failure", the rule should use command IKE::abort in order to cause IPsec negotiation to fail,
for this peer and this certificate. In the absence of IKE::abort, before the rule ends, further IPsec negotiation will
succeed by default and the cert will be accepted. In effect, the entire purpose of the IKE_AUTH event is to make it
possible to further validate a certificate returned by command IKE::cert, to permit IKE::abort to cause failure if rejected
after analysis.
Examples
when IKE_AUTH {
set ike_cert [IKE::cert 0]
set san_temp [findstr [X509::extensions $ike_cert] "Subject Alternative Name" 32 ","]
set san_email [findstr $san_temp "email" 6]
if ($san_email ne "fred") { IKE::abort }
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-15.0.0 --First introduced the event.
BIG-IP 2022-04-12 iRule(1)