[strongSwan] eap-dynamic (eap-tls, eap-mschapv2) and cacerts constraints

Andreas Steffen andreas.steffen at strongswan.org
Sun Aug 7 08:56:54 CEST 2022


Hi Andreas,

as far as I know, the "cacerts" parameter currently applies to the IKEv2
trust chain verification only (it primarily controls which CAs are
requested by the CERTREQ payload), but it doesn't have any effect
on the trust chain verification of our TLS stack.

Best regards

Andreas

On 05.08.22 21:44, Andreas Weigel wrote:
> Hi everyone,
> 
> I have a setup in which a gateway uses eap-dynamic to authenticate 
> clients using either eap-mschapv2 or eap-tls, basically the same as 
> https://www.strongswan.org/testing/testresults/ikev2/rw-eap-dynamic/.
> 
> Now, if I try to specify the cacerts parameter in the remote section of 
> the connection to restrict the accepted certificates for clients using 
> eap-tls, clients can no longer connect using eap-mschapv2:
> 
> 2022-08-05T15:08:29.910-04:00|charon||10[IKE] <hc_gw_eap|1> 
> authentication of 'test' with EAP successful
> 2022-08-05T15:08:29.912-04:00|charon||10[CFG] <hc_gw_eap|1> constraint 
> check failed: peer not authenticated by CA '[...]'
> 
> With the cacerts parameter removed, the connection works.
> 
> Is this intended behavior? On first glance, it would make sense to me to 
> be able to use the cacerts (or certs) constraint to restrict 
> eap-dynamic->eap-tls clients to that one CA in the presence of multiple 
> connections on the same device that may use a different CA or certificates.
> 
> Kind regards,
> Andreas
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================


More information about the Users mailing list