Hello Tobias Sorry for the late reply, I was on vacation. Let me know if you get this email and all attachments.
Attached are the credentials in both locations on the target ".tar". Also attached is the credentials dumped using "ipsec pki --print". Provide certificates to strongswan • swanctl.tar ipsecd.tar More cert information • ipsec pki –-print –i /etc/swanctl/x509/Org1.crt • ipsec pki –-print –i /etc/swanctl/x509ca/Org1.sca1 • ipsec pki –-print –i /etc/swanctl/x509ca/Org1.ta • ipsec pki –-print –i /etc/swanctl/x509/Org2.crt • ipsec pki –-print –i /etc/swanctl/x509ca/Org2.sca1 • ipsec pki –-print –i /etc/swanctl/x509ca/Org2.ta • https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiPrint Debug for configured certificates/identities in struct s_connectin_parameters • vici_do_connect() conn_name=sgateway1-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.196 eap_id= proposals=aes256-sha512-sha384-ecp256-sha256-modp2048-prfsha1 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org1.crt local_id=ra00...@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=WGL196 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha1 child_local_ts= child_remote_ts=80.80.80.15 child_rekey_time=0 left_auth=pubkey mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0 • vici_do_connect() conn_name=sgateway2-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.211 eap_id= proposals=aes256-sha384-modp2048 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org2.crt local_id=ra00...@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha256-sha1 child_local_ts= child_remote_ts=172.16.207.140 child_rekey_time=0 left_auth=eap mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0 Thanks -----Original Message----- From: Tobias Brunner <tob...@strongswan.org> Sent: Monday, November 19, 2018 3:00 AM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert Hi Anthony, > For this setup are credential directory looks like this > /media/sde1/certs/Org1: > Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta > /media/sde1/certs/Org2: > Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta > > So we only load the "user cert" using VICI, were letting charon select the > correct key and sca. Could you please provide more information on these certificate chains (preferably the files themselves, but output from `pki --print` might help too) and the configured certificates/identities (the code you added is itself configured via `struct s_connection_parameters`). Regards, Tobias
ipsecd.tar
Description: ipsecd.tar
swanctl.tar
Description: swanctl.tar
subject: "CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems
Engineering, C=US"
issuer: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test SCA 4"
validity: not before Nov 14 22:21:00 2018, ok
not after Nov 14 22:21:00 2021, ok (expires in 1084 days)
serial: 0e
altNames: ra00...@teledyne.com
flags: clientAuth ikeIntermediate
CRL URIs: http://www.carillon.ca/caops/test-signca2-crl.crl
OCSP URIs: http://www.carillon.ca/sha2-ocsp
certificatePolicies:
1.3.6.1.4.1.25054.3.1.113
authkeyId: 39:7f:86:a5:6d:e9:b4:bd:0c:ce:62:30:f1:d9:2f:a2:c3:9a:65:5b
subjkeyId: 81:09:51:c6:65:d0:f6:93:c0:4c:d0:0a:c6:07:fc:21:a7:1c:19:d3
pubkey: RSA 2048 bits
keyid: 5f:c2:79:51:0b:84:fb:1d:fa:ff:ec:42:f6:7b:30:83:e7:d8:62:41
subjkey: 81:09:51:c6:65:d0:f6:93:c0:4c:d0:0a:c6:07:fc:21:a7:1c:19:d3
subject: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test SCA 4"
issuer: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test Root CA"
validity: not before Nov 01 17:00:00 2018, ok
not after Nov 01 17:00:00 2024, ok (expires in 2166 days)
serial: 09
flags: CA CRLSign
CRL URIs: http://www.carillon.ca/caops/TEST-cisRCA1.crl
pathlen: 0
certificatePolicies:
1.3.6.1.4.1.25054.3.1.103
1.3.6.1.4.1.25054.3.1.104
1.3.6.1.4.1.25054.3.1.105
1.3.6.1.4.1.25054.3.1.106
1.3.6.1.4.1.25054.3.1.107
1.3.6.1.4.1.25054.3.1.108
1.3.6.1.4.1.25054.3.1.109
1.3.6.1.4.1.25054.3.1.110
1.3.6.1.4.1.25054.3.1.130
1.3.6.1.4.1.25054.3.1.111
1.3.6.1.4.1.25054.3.1.131
1.3.6.1.4.1.25054.3.1.112
1.3.6.1.4.1.25054.3.1.113
1.3.6.1.4.1.25054.3.1.114
1.3.6.1.4.1.25054.3.1.120
1.3.6.1.4.1.25054.3.1.121
1.3.6.1.4.1.25054.3.1.122
authkeyId: 87:85:c8:f8:20:ad:c9:48:3b:b5:80:f3:b8:e5:c3:51:66:f5:d5:04
subjkeyId: 39:7f:86:a5:6d:e9:b4:bd:0c:ce:62:30:f1:d9:2f:a2:c3:9a:65:5b
pubkey: RSA 2048 bits
keyid: 43:f8:5e:13:33:e9:39:c5:d7:88:db:93:cb:65:12:4d:bd:aa:b2:02
subjkey: 39:7f:86:a5:6d:e9:b4:bd:0c:ce:62:30:f1:d9:2f:a2:c3:9a:65:5b
subject: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test Root CA"
issuer: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test Root CA"
validity: not before Oct 12 23:03:00 2018, ok
not after Jan 19 03:14:07 2038, ok (expires in 6993 days)
serial: 01
flags: CA CRLSign self-signed
subjkeyId: 87:85:c8:f8:20:ad:c9:48:3b:b5:80:f3:b8:e5:c3:51:66:f5:d5:04
pubkey: RSA 2048 bits
keyid: fa:dc:97:d7:9f:c1:9e:47:8d:0c:50:61:04:c0:0e:0b:fd:c1:9c:23
subjkey: 87:85:c8:f8:20:ad:c9:48:3b:b5:80:f3:b8:e5:c3:51:66:f5:d5:04
subject: "CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems
Engineering, C=US"
issuer: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test SCA 1"
validity: not before Nov 14 22:49:00 2018, ok
not after Nov 14 22:49:00 2021, ok (expires in 1084 days)
serial: 0d
altNames: ra00...@teledyne.com
flags: clientAuth ikeIntermediate
CRL URIs: http://www.carillon.ca/caops/test-signca2-crl.crl
OCSP URIs: http://www.carillon.ca/sha2-ocsp
certificatePolicies:
1.3.6.1.4.1.25054.3.1.113
authkeyId: 92:e1:0f:68:37:91:79:4d:cd:b2:fa:1f:c9:56:39:34:a8:ab:45:ea
subjkeyId: 0f:c4:a7:89:29:67:67:b8:56:f3:78:dc:59:ce:1e:f4:e2:1c:eb:96
pubkey: RSA 2048 bits
keyid: 6a:cc:6a:56:5f:96:bc:05:dc:5b:57:cb:57:1b:a2:ce:86:d0:b3:c1
subjkey: 0f:c4:a7:89:29:67:67:b8:56:f3:78:dc:59:ce:1e:f4:e2:1c:eb:96
subject: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test SCA 1"
issuer: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test Root CA"
validity: not before Oct 12 23:27:00 2018, ok
not after Oct 12 23:27:00 2024, ok (expires in 2147 days)
serial: 03
flags: CA CRLSign
CRL URIs: http://www.carillon.ca/caops/TEST-cisRCA1.crl
pathlen: 0
certificatePolicies:
1.3.6.1.4.1.25054.3.1.103
1.3.6.1.4.1.25054.3.1.104
1.3.6.1.4.1.25054.3.1.105
1.3.6.1.4.1.25054.3.1.106
1.3.6.1.4.1.25054.3.1.107
1.3.6.1.4.1.25054.3.1.108
1.3.6.1.4.1.25054.3.1.109
1.3.6.1.4.1.25054.3.1.110
1.3.6.1.4.1.25054.3.1.130
1.3.6.1.4.1.25054.3.1.111
1.3.6.1.4.1.25054.3.1.131
1.3.6.1.4.1.25054.3.1.112
1.3.6.1.4.1.25054.3.1.113
1.3.6.1.4.1.25054.3.1.114
1.3.6.1.4.1.25054.3.1.120
1.3.6.1.4.1.25054.3.1.121
1.3.6.1.4.1.25054.3.1.122
authkeyId: 87:85:c8:f8:20:ad:c9:48:3b:b5:80:f3:b8:e5:c3:51:66:f5:d5:04
subjkeyId: 92:e1:0f:68:37:91:79:4d:cd:b2:fa:1f:c9:56:39:34:a8:ab:45:ea
pubkey: RSA 2048 bits
keyid: ba:ef:c0:f9:94:3d:97:82:9d:da:a2:2a:eb:2e:0c:4f:71:00:6e:13
subjkey: 92:e1:0f:68:37:91:79:4d:cd:b2:fa:1f:c9:56:39:34:a8:ab:45:ea
subject: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test Root CA"
issuer: "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering,
CN=TDY Test Root CA"
validity: not before Oct 12 23:03:00 2018, ok
not after Jan 19 03:14:07 2038, ok (expires in 6993 days)
serial: 01
flags: CA CRLSign self-signed
subjkeyId: 87:85:c8:f8:20:ad:c9:48:3b:b5:80:f3:b8:e5:c3:51:66:f5:d5:04
pubkey: RSA 2048 bits
keyid: fa:dc:97:d7:9f:c1:9e:47:8d:0c:50:61:04:c0:0e:0b:fd:c1:9c:23
subjkey: 87:85:c8:f8:20:ad:c9:48:3b:b5:80:f3:b8:e5:c3:51:66:f5:d5:04
