Hi Andreas,
as far as I know, the "cacerts" parameter currently applies to the IKEv2
trust chain verification only (it primarily controls which CAs are
requested by the CERTREQ payload), but it doesn't have any effect
on the trust chain verification of our TLS stack.
Best regards
Andreas
On 05.08.22 21:44, Andreas Weigel wrote:
Hi everyone,
I have a setup in which a gateway uses eap-dynamic to authenticate
clients using either eap-mschapv2 or eap-tls, basically the same as
https://www.strongswan.org/testing/testresults/ikev2/rw-eap-dynamic/.
Now, if I try to specify the cacerts parameter in the remote section of
the connection to restrict the accepted certificates for clients using
eap-tls, clients can no longer connect using eap-mschapv2:
2022-08-05T15:08:29.910-04:00|charon||10[IKE] <hc_gw_eap|1>
authentication of 'test' with EAP successful
2022-08-05T15:08:29.912-04:00|charon||10[CFG] <hc_gw_eap|1> constraint
check failed: peer not authenticated by CA '[...]'
With the cacerts parameter removed, the connection works.
Is this intended behavior? On first glance, it would make sense to me to
be able to use the cacerts (or certs) constraint to restrict
eap-dynamic->eap-tls clients to that one CA in the presence of multiple
connections on the same device that may use a different CA or certificates.
Kind regards,
Andreas
--
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================