[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Modster, Anthony Anthony.Modster at Teledyne.com
Thu Nov 29 18:25:11 CET 2018


-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org> 
Sent: Thursday, November 29, 2018 5:12 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Cc: Wong, Richard <Richard.Wong at Teledyne.com>
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> ? can VICI be configured to load a specific SCA cert per VPN (would 
> this help)

That doesn't make a difference.  As mentioned, only the identity is relevant on the client.  So unless you can get the server to send a TLS certificate request only for a specific intermediate CA you can't control the client's certificate selection if you use the same identity for both end-entity certificates.  Similarly, on the server side, where strongSwan sends TLS certificate requests for all available CA certificates (i.e. like the certs option, the cacerts option is only relevant for IKE, not for EAP-TLS).


More information about the Users mailing list