IKEv2 Name Mangler Tidbit

I want to touch on what the IKEv2 Name Mangler is & what capabilities it provides us. Name Mangler grants us the ability to derive a name from a remote peer's identity. This derived name can then be used in authorization requests. We can match against things such as a distinguished name (DN), EAP, FQDN, or email. Note that we cannot use Name Mangler to match IKE identities on IP addresses. This name mangler provides flexibility in allowing us to perform AAA-based policy lookups based on the remote peer's IKE identity. The IKEv2 Name Mangler is applied/referenced inside of your IKEv2 profile. Note that this is performed after peer authentication.

Brief overview of how Name Mangler works:

A peer connection matches our IKEv2 profile which contains the name mangler. Our receiving client then proceeds with deriving the name to use for authorization from the initiator's IKE identity based on what we are extracting via the name mangler configuration. The client then attempts to retrieve an authorization policy that has the derived name, which can be checked locally or via external Radius server. Assuming an authorization policy is found, all attributes configured under the authorization policy are applied to the respective session. For whatever reason, should the authorization policy not be found then the tunnel will not come up due to an IKE_AUTH exchange failure.

To see the Name Mangler in action see: Configuring, Verifying, & Troubleshooting FlexVPN Name Mangler Feature



Recent Posts

See All

Dual Hub FlexVPN Error Tidbit

Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud). S

FlexVPN Redundancy Tidbit

I want to cover the most commonly used FlexVPN redundancy designs since I intend on building out a few scenarios to play with for studying purposes. The most common designs include: Dual cloud approa

IKEv2 Configuration Payload Tidbit

In this tidbit I want to cover what IKEv2 configuration payloads are & why they are needed. So it is sometimes desirable for the hub in hub & spoke topologies to provide configuration data to the spo


© 2023 by Train of Thoughts. Proudly created with Wix.com