Thanks
-Original Message-
From: Tobias Brunner
Sent: Thursday, November 29, 2018 5:12 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Wong, Richard
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Hi Anthony,
> ? can VICI be configured to l
Hi Anthony,
> ? can VICI be configured to load a specific SCA cert per VPN (would this help)
That doesn't make a difference. As mentioned, only the identity is
relevant on the client. So unless you can get the server to send a TLS
certificate request only for a specific intermediate CA you
Hello Tobias
? can VICI be configured to load a specific SCA cert per VPN (would this help)
-Original Message-
From: Tobias Brunner
Sent: Wednesday, November 28, 2018 2:21 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using
Hi Anthony,
As I suspected, you use the same identity for the two end-entity
certificates that are signed by different intermediate CAs:
> ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth,
> ..."
> issuer: "..., CN=TDY Test SCA 1"
> ...
> altNames:
Hello Tobias
? did you get my last email with attachments
-Original Message-
From: Modster, Anthony
Sent: Monday, November 26, 2018 3:46 PM
To: 'Tobias Brunner' ; users@lists.strongswan.org
Subject: RE: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Hello Tobias
Sorry
d_dpd_action=restart dpd_timeout= keying_tries=0
Thanks
-Original Message-
From: Tobias Brunner
Sent: Monday, November 19, 2018 3:00 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Hi Anthony,
> For this setup a
Hi Anthony,
> For this setup are credential directory looks like this
> /media/sde1/certs/Org1:
> Org1.chain Org1.crt Org1.keyOrg1.sca1 Org1.ta
> /media/sde1/certs/Org2:
> Org2.chain Org2.crt Org2.keyOrg2.sca2 Org2.ta
>
> So we only load the "user cert" using VICI, were
//connections..children..dpd_action
//connections..children..ipcomp
//connections..children..inactivity
//connections..children..reqid
//connections..children..mark_in
//connections..children..mark_out
//connections..children.
Hi Anthony,
> !!!Selected user cert is CN=TDY Test SCA 4
> 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate
> \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test
> SCA 4\" key: 2048 bit RSA
That's the server's certificate, selected to verify the