[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Modster, Anthony
Anthony.Modster at Teledyne.com
Thu Nov 29 18:25:11 CET 2018
Thanks
-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org>
Sent: Thursday, November 29, 2018 5:12 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Cc: Wong, Richard <Richard.Wong at Teledyne.com>
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Hi Anthony,
> ? can VICI be configured to load a specific SCA cert per VPN (would
> this help)
That doesn't make a difference. As mentioned, only the identity is relevant on the client. So unless you can get the server to send a TLS certificate request only for a specific intermediate CA you can't control the client's certificate selection if you use the same identity for both end-entity certificates. Similarly, on the server side, where strongSwan sends TLS certificate requests for all available CA certificates (i.e. like the certs option, the cacerts option is only relevant for IKE, not for EAP-TLS).
Regards,
Tobias
More information about the Users
mailing list