Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-29 Thread Modster, Anthony
Thanks -Original Message- From: Tobias Brunner Sent: Thursday, November 29, 2018 5:12 AM To: Modster, Anthony ; users@lists.strongswan.org Cc: Wong, Richard Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert Hi Anthony, > ? can VICI be configured to l

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-29 Thread Tobias Brunner
Hi Anthony, > ? can VICI be configured to load a specific SCA cert per VPN (would this help) That doesn't make a difference. As mentioned, only the identity is relevant on the client. So unless you can get the server to send a TLS certificate request only for a specific intermediate CA you

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-28 Thread Modster, Anthony
Hello Tobias ? can VICI be configured to load a specific SCA cert per VPN (would this help) -Original Message- From: Tobias Brunner Sent: Wednesday, November 28, 2018 2:21 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-28 Thread Tobias Brunner
Hi Anthony, As I suspected, you use the same identity for the two end-entity certificates that are signed by different intermediate CAs: > ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth, > ..." > issuer: "..., CN=TDY Test SCA 1" > ... > altNames:

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-27 Thread Modster, Anthony
Hello Tobias ? did you get my last email with attachments -Original Message- From: Modster, Anthony Sent: Monday, November 26, 2018 3:46 PM To: 'Tobias Brunner' ; users@lists.strongswan.org Subject: RE: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert Hello Tobias Sorry

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-26 Thread Modster, Anthony
d_dpd_action=restart dpd_timeout= keying_tries=0 Thanks -Original Message- From: Tobias Brunner Sent: Monday, November 19, 2018 3:00 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert Hi Anthony, > For this setup a

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-19 Thread Tobias Brunner
Hi Anthony, > For this setup are credential directory looks like this > /media/sde1/certs/Org1: > Org1.chain Org1.crt Org1.keyOrg1.sca1 Org1.ta > /media/sde1/certs/Org2: > Org2.chain Org2.crt Org2.keyOrg2.sca2 Org2.ta > > So we only load the "user cert" using VICI, were

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-16 Thread Modster, Anthony
//connections..children..dpd_action //connections..children..ipcomp //connections..children..inactivity //connections..children..reqid //connections..children..mark_in //connections..children..mark_out //connections..children.

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

2018-11-16 Thread Tobias Brunner
Hi Anthony, > !!!Selected user cert is CN=TDY Test SCA 4 > 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate > \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test > SCA 4\" key: 2048 bit RSA That's the server's certificate, selected to verify the