ltm rule event IKE AUTH

iRule(1)					  BIG-IP TMSH Manual					     iRule(1)

IKE_AUTH
       Triggered during IPsec IKE_AUTH for IKEv2 ike-peers that need TCL-based auth for certificates.

DESCRIPTION
       An iRule event is triggered during IPsec negotiation for an IKEv2 ike-peer, during the IKE_AUTH exchange --
       but only if the basic certificate auth succeeds, and if that ike-peer is also configured to need further auth
       via rules (perhaps based on values in the cert like subjectAltName).

       This event allows the addition of one more step, before certificate auth succeeds, after basic cert auth
       performed by IPsec. Expected usage is to 1) fetch the cert involved via command IKE::cert, 2) extract the
       cert's SAN (aka subjectAltName) via X509 commands, and then 3) decide whether auth is permitted based on some
       deviceID inside the SAN, perhaps by outsourcing this decision to another server via another iRule command.

       If the decision is "cert auth failure", the rule should use command IKE::abort in order to cause IPsec
       negotiation to fail, for this peer and this certificate.  In the absence of IKE::abort, before the rule ends,
       further IPsec negotiation will succeed by default and the cert will be accepted.  In effect, the entire
       purpose of the IKE_AUTH event is to make it possible to further validate a certificate returned by command
       IKE::cert, to permit IKE::abort to cause failure if rejected after analysis.

Examples
	when IKE_AUTH {
	    set ike_cert [IKE::cert 0]
	    set san_temp [findstr [X509::extensions $ike_cert] "Subject Alternative Name" 32 ","]
	    set san_email [findstr $san_temp "email" 6]
	    if ($san_email ne "fred") { IKE::abort }
	}

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-15.0.0 --First introduced the event.

BIG-IP						      2020-06-23					     iRule(1)