[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Tue Nov 27 23:02:29 CET 2018

Hello Tobias
? did you get my last email with attachments

-----Original Message-----
From: Modster, Anthony 
Sent: Monday, November 26, 2018 3:46 PM
To: 'Tobias Brunner' <tobias at strongswan.org>; users at lists.strongswan.org
Subject: RE: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hello Tobias
Sorry for the late reply, I was on vacation.
Let me know if you get this email and all attachments.

Attached are the credentials in both locations on the target ".tar".

Also attached is the credentials dumped using "ipsec pki --print".

Provide certificates to strongswan
•	swanctl.tar ipsecd.tar
More cert information
•	ipsec pki –-print –i /etc/swanctl/x509/Org1.crt
•	ipsec pki –-print –i /etc/swanctl/x509ca/Org1.sca1
•	ipsec pki –-print –i /etc/swanctl/x509ca/Org1.ta
•	ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
•	ipsec pki –-print –i /etc/swanctl/x509ca/Org2.sca1
•	ipsec pki –-print –i /etc/swanctl/x509ca/Org2.ta
•	https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiPrint
Debug for configured certificates/identities in struct s_connectin_parameters
•	vici_do_connect() conn_name=sgateway1-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.196 eap_id= proposals=aes256-sha512-sha384-ecp256-sha256-modp2048-prfsha1 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org1.crt local_id=RA00017 at teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=WGL196 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha1 child_local_ts= child_remote_ts=80.80.80.15 child_rekey_time=0 left_auth=pubkey mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0
•	vici_do_connect() conn_name=sgateway2-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.211 eap_id= proposals=aes256-sha384-modp2048 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org2.crt local_id=RA00017 at teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha256-sha1 child_local_ts= child_remote_ts=172.16.207.140 child_rekey_time=0 left_auth=eap mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0

Thanks

-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org> 
Sent: Monday, November 19, 2018 3:00 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> For this setup are credential directory looks like this
> /media/sde1/certs/Org1:
> Org1.chain  Org1.crt  Org1.key	Org1.sca1  Org1.ta
> /media/sde1/certs/Org2:
> Org2.chain  Org2.crt  Org2.key	Org2.sca2  Org2.ta
> 
> So we only load the "user cert" using VICI, were letting charon select the correct key and sca.

Could you please provide more information on these certificate chains (preferably the files themselves, but output from `pki --print` might help too) and the configured certificates/identities (the code you added is itself configured via `struct s_connection_parameters`).

Regards,
Tobias