git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Tue, 4 Mar 2025 10:14:14 +0000 (11:14 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Mon, 14 Apr 2025 10:05:24 +0000 (12:05 +0200)
commit	2f2e4abe3c5256d13195fdd0b90538ada4aa9928
tree	fe9d88c6f432a67810ea6b618e4160e15a79a4a3	tree \| snapshot
parent	651a5b0ded3c572850699d8caca429d3f2c6df51	commit \| diff

ikev2: Add support to switch peer configs based on EAP-Identities

This changes how EAP identities are used from the config. Instead of
setting a statically configured identity != %any, an EAP-Identity
exchange is now always initiated (and required).  If the received identity
doesn't match, the peer config is switched to one with a matching
identity (wildcards are supported for that match).  This allows switching
to a config with a different EAP method or child settings based on the
EAP identity.

There is currently no "best" match.  The configs are evaluated based on
the order returned from the initial peer config lookup.

References strongswan/strongswan#2702

src/libcharon/sa/authenticator.h		diff \| blob \| blame \| history
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c		diff \| blob \| blame \| history
src/libcharon/sa/ikev2/tasks/ike_auth.c		diff \| blob \| blame \| history
src/swanctl/swanctl.opt		diff \| blob \| blame \| history