[strongSwan] Multiple certificate authentication

Andreas Steffen andreas.steffen at strongswan.org
Fri Jul 20 08:42:09 CEST 2012


Hi Matt,

in fact, if the RADIUS or AAA server has a different certificate
than the VPN gateway then you can define the AAA identity with

    aaa_identity=<subject DN or subjectAltName of AAA server>

as in the following example

http://www.strongswan.org/uml/testresults5/ikev2/rw-eap-tls-radius/carol.ipsec.conf

Best regards

Andreas

On 07/19/2012 06:58 PM, Keeler, Matthew J. wrote:
> I have a strongswan client connecting to a strongswan server. The server
> has the right authentication method set to be eap-radius.
>
> The clients configuration has the rightcert value set to be the
> certificate of the strongswan server and the leftauth set to eap-ttls.
> The client/server connection validates the certificate and the server
> then starts the eap authentication with the radius server. At this point
> the client complains that the server certificate does not match. I am
> assuming that it Is talking about the certificate of the radius server
> (which is in fact different from the strongswan server cert).
>
> How can I get around this and get the certificate validation working for
> the strongswan server and the radius server?
>
> Thanks
>
> Matt Keeler
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list