[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Modster, Anthony
Anthony.Modster at Teledyne.com
Wed Nov 28 19:31:30 CET 2018
Hello Tobias
? can VICI be configured to load a specific SCA cert per VPN (would this help)
-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org>
Sent: Wednesday, November 28, 2018 2:21 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Hi Anthony,
As I suspected, you use the same identity for the two end-entity certificates that are signed by different intermediate CAs:
> ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth, ..."
> issuer: "..., CN=TDY Test SCA 1"
> ...
> altNames: RA00017 at teledyne.com
> ...
> ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
> subject: "CN=RA00017.auth, ..."
> issuer: "..., CN=TDY Test SCA 4"
> ...
> altNames: RA00017 at teledyne.com
> ...
The configured identity is RA00017 at teledyne.com in both configs, that you also configure a different certificate explicitly doesn't matter because EAP-TLS currently doesn't use that setting (the lookup is done based on the configured identity only). Certificate requests should be considered, but if the cert request is for the root CA that won't help (it might even depend on the order of the certificate requests if multiple are received).
Regards,
Tobias
More information about the Users
mailing list