Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Modster, Anthony]

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Thursday, November 29, 2018 5:12 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Wong, Richard 
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> ? can VICI be configured to load a specific SCA cert per VPN (would 
> this help)

That doesn't make a difference.  As mentioned, only the identity is relevant on 
the client.  So unless you can get the server to send a TLS certificate request 
only for a specific intermediate CA you can't control the client's certificate 
selection if you use the same identity for both end-entity certificates.  
Similarly, on the server side, where strongSwan sends TLS certificate requests 
for all available CA certificates (i.e. like the certs option, the cacerts 
option is only relevant for IKE, not for EAP-TLS).

Regards,
Tobias

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Tobias Brunner]

Hi Anthony,

> ? can VICI be configured to load a specific SCA cert per VPN (would this help)

That doesn't make a difference.  As mentioned, only the identity is
relevant on the client.  So unless you can get the server to send a TLS
certificate request only for a specific intermediate CA you can't
control the client's certificate selection if you use the same identity
for both end-entity certificates.  Similarly, on the server side, where
strongSwan sends TLS certificate requests for all available CA
certificates (i.e. like the certs option, the cacerts option is only
relevant for IKE, not for EAP-TLS).

Regards,
Tobias