Project

General

Profile

ext-auth Plugin

Purpose

The ext-auth plugin invokes an external script to implement custom authorization rules.

The plugin is disabled by default and can be enabled by adding

--enable-ext-auth
to the ./configure options.

Implementation

If the plugin is configured, it invokes the command under a shell and evaluates the return value. If the command exits cleanly with an exit code of 0, authorization is granted. Otherwise IKE_SA authorization is rejected, usually resulting in an AUTH_FAILED notification.

The configured command is invoked under a shell (sh -c) with the following environment variables set:

Variable Description
IKE_UNIQUE_ID The IKE_SA numerical unique identifier
IKE_NAME The peer configuration connection name
IKE_LOCAL_HOST Local IKE IP address
IKE_REMOTE_HOST Remote IKE IP address
IKE_LOCAL_ID Local IKE identity
IKE_REMOTE_ID Remote IKE identity
IKE_REMOTE_EAP_ID Remote EAP or XAuth identity, if used

Configuration

The plugin is configured using the following strongswan.conf options:

Key Default Description
charon.plugins.ext-auth.script NULL Script or command to execute