[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Thu Nov 15 01:36:15 CET 2018

Hello

If VPN tunnel 1 is started before VPN tunnel 2.

Then VPN tunnel 2 does not select the correct SCA cert during TLS EAP.

It does show the correct SCA cert during configuration.

VPN tunnel 1 is ok

If VPN tunnel 2 is started before VPN tunnel 1.

Then both VPN tunnels are ok.

VPN tunnel 1: "user cert 1"->SCA 1->TA

VPN tunnel 2: "user cert 2"->SCA 4->TA

Note: TA is same for both VPN tunnels

VPN tunnel 1: left auth = pubkey

VPN tunnel 2: left auth = eap

Strongswan version: 5.5.1

VICI interface

Note: VPN tunnel 1 is up and ok

!!!Selected user cert is CN=TDY Test SCA 4

2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\" key: 2048 bit RSA
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   using trusted ca certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\"
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] checking certificate status of \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\"
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] ocsp check skipped, no ocsp found
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   fetching crl from \'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[LIB] unable to fetch from http://www.carillon.ca/caops/TEST-cisRCA1.crl, no capable fetcher found
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] crl fetching failed
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate status is not available
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate policy 1.3.6.1.4.1.25054.3.1.113 for \'C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls\' not allowed by trustchain, ignored
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\" key: 2048 bit RSA
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   reached self-signed root ca with a path length of 1
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems Engineering, C=US\'
!!! ? why did TLS send SCA 1 cert

2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS intermediate certificate \'C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 1\'
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] generating IKE_AUTH request 6 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[ENC] generating IKE_AUTH request 7 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[ENC] generating IKE_AUTH request 8 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] generating IKE_AUTH request 9 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (536 bytes)
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (104 bytes)
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[TLS] received fatal TLS alert \'access denied\'
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[IKE] EAP_TLS method failed
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[ENC] generating INFORMATIONAL request 10 [ N(AUTH_FAILED) ]

Thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181115/55063c70/attachment.html>