[strongSwan] Multiple CA certs - why are all (not one) requested from a client?

Tobias Brunner tobias at strongswan.org
Thu Mar 14 14:45:41 CET 2019


Hi Kostya,

> It seems to me that at this point the server should already know which connection "block" it's dealing with

It doesn't.  At that point (IKE_SA_INIT response) it only has IP
addresses to select an initial partial config, that is, there is no peer
config with identities and certs yet.

> Also does the above mean that either client can authenticate through either CA cert, even the other connection's?

No.  If the client's certificate is issued by a CA that's not allowed,
the connection gets switched, or the client is rejected if no config
matches.

Regards,
Tobias


More information about the Users mailing list