[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
From:       "Modster, Anthony" <Anthony.Modster () Teledyne ! com>
Date:       2018-11-29 17:25:11
Message-ID: F03BEFDFC2B8F7489DE861AE1958D3BAA2E80069 () ENT-PPMSG-MBX01 ! TDY ! Teledyne ! com
[Download RAW message or body]

Thanks

-----Original Message-----
From: Tobias Brunner <tobias@strongswan.org> 
Sent: Thursday, November 29, 2018 5:12 AM
To: Modster, Anthony <Anthony.Modster@Teledyne.com>; users@lists.strongswan.org
Cc: Wong, Richard <Richard.Wong@Teledyne.com>
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> ? can VICI be configured to load a specific SCA cert per VPN (would 
> this help)

That doesn't make a difference.  As mentioned, only the identity is relevant on the \
client.  So unless you can get the server to send a TLS certificate request only for \
a specific intermediate CA you can't control the client's certificate selection if \
you use the same identity for both end-entity certificates.  Similarly, on the server \
side, where strongSwan sends TLS certificate requests for all available CA \
certificates (i.e. like the certs option, the cacerts option is only relevant for \
IKE, not for EAP-TLS).

Regards,
Tobias


[prev in list] [next in list] [prev in thread] [next in thread]