[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Tobias Brunner tobias at strongswan.org
Wed Nov 28 11:20:54 CET 2018

Hi Anthony,

As I suspected, you use the same identity for the two end-entity
certificates that are signed by different intermediate CAs:

> ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject:  "CN=RA00017.auth, ..."
> issuer:   "..., CN=TDY Test SCA 1"
> ...
> altNames:  RA00017 at teledyne.com
> ...

> ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
> subject:  "CN=RA00017.auth, ..."
> issuer:   "..., CN=TDY Test SCA 4"
> ...
> altNames:  RA00017 at teledyne.com
> ...

The configured identity is RA00017 at teledyne.com in both configs, that
you also configure a different certificate explicitly doesn't matter
because EAP-TLS currently doesn't use that setting (the lookup is done
based on the configured identity only).  Certificate requests should be
considered, but if the cert request is for the root CA that won't help
(it might even depend on the order of the certificate requests if
multiple are received).


More information about the Users mailing list