[strongSwan] Multiple CA certs - why are all (not one) requested from a client?
Tobias Brunner
tobias at strongswan.org
Thu Mar 14 14:45:41 CET 2019
Hi Kostya,
> It seems to me that at this point the server should already know which connection "block" it's dealing with
It doesn't. At that point (IKE_SA_INIT response) it only has IP
addresses to select an initial partial config, that is, there is no peer
config with identities and certs yet.
> Also does the above mean that either client can authenticate through either CA cert, even the other connection's?
No. If the client's certificate is issued by a CA that's not allowed,
the connection gets switched, or the client is rejected if no config
matches.
Regards,
Tobias
More information about the Users
mailing list