[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Tobias Brunner tobias at strongswan.org
Thu Nov 29 14:12:07 CET 2018

Hi Anthony,

> ? can VICI be configured to load a specific SCA cert per VPN (would this help)

That doesn't make a difference.  As mentioned, only the identity is
relevant on the client.  So unless you can get the server to send a TLS
certificate request only for a specific intermediate CA you can't
control the client's certificate selection if you use the same identity
for both end-entity certificates.  Similarly, on the server side, where
strongSwan sends TLS certificate requests for all available CA
certificates (i.e. like the certs option, the cacerts option is only
relevant for IKE, not for EAP-TLS).


More information about the Users mailing list