Hello Tobais We are using VICI (not from configuration files), so I hope were getting everything.
For this setup are credential directory looks like this /media/sde1/certs/Org1: Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta /media/sde1/certs/Org2: Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta So we only load the "user cert" using VICI, were letting charon select the correct key and sca. Test 1, Org1/Org1.crt (196) and Org2/Org2.crt (211), when using this setup 196 VPN comes up and 211 VPN does not (incorrect SCA selected) Test 2, Org2/Org2.crt (211), when using this setup 211 VPN does come up Test 3, Org1/Org1.crt (211) and Org2/Org2.crt (196), when using this setup both 211 VPN and 196 VPN and comes up I verified the keys are different, the "user certs" and SCA files are the correct. The log file indicates the correct "user certs" are used for each tunnel. ? what else should I check Below is sample code: /* load connection * returns: 0 = for ok, else 1 * Note: * reference doc for swanctl.conf https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf * reference doc for ipsec.conf: config setup https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection * example config file /etc/swanctl/swanctl.conf */ int load_conn(vici_conn_t *conn, struct s_connection_parameters *param) { vici_req_t *req; vici_res_t *res; int ret = 0; char buf[128] = { 0 }; int idx; chunk_t cert; //load the user cert load_cert_from_file( param->local_cert, &cert ); if( cert.ptr == NULL ) { printf("load connection failed : error loading local cert.\n"); return 1; } req = vici_begin("load-conn"); vici_begin_section(req,param->conn_name); //connections.<conn>.version vici_add_key_valuef(req,"version","%s",param->ike_version); //connections.<conn>.local_addrs vici_begin_list(req,"local_addrs"); vici_add_list_itemf(req,"%s",param->local_addrs); vici_end_list(req); //connections.<conn>.remote_addrs vici_begin_list(req,"remote_addrs"); vici_add_list_itemf(req,"%s",param->remote_addrs); vici_end_list(req); //connections.<conn>.local_port //connections.<conn>.remote_port //connections.<conn>.proposals create_list_for_proposals( req, "proposals", param->proposals ); //connections.<conn>.vips //note: allows the assignment of "virtual IP's" for local_ts and remote_ts vici_begin_list(req,"vips"); vici_add_list_itemf(req,"%s","0.0.0.0"); vici_end_list(req); //connections.<conn>.aggressive //connections.<conn>.pull //connections.<conn>.encap //we do not want to use mobike (no searching for other interfaces) //note: it is enabled by default //connections.<conn>.mobike //vici_add_key_valuef(req,"mobike","%s","no"); vici_add_key_valuef(req,"mobike","%s",param->mobike); //connections.<conn>.dpd_delay //vici_add_key_valuef(req,"dpd_delay","%s","2s"); vici_add_key_valuef(req,"dpd_delay","%s",param->dpd_delay); //connections.<conn>.dpd_timeout //connections.<conn>.fragmentation //connections.<conn>.send_certreq //connections.<conn>.send_cert /* connections.<conn>.keyingtries * Number of retransmission sequences to perform during initial connect. * Instead of giving up initiation after the first retransmission sequence with the default value of 1, * additional sequences may be started according to the configured value. * A value of 0 initiates a new sequence until the connection establishes or fails with a permanent error. */ //vici_add_key_valuef(req,"keyingtries","%s","0"); vici_add_key_valuef(req,"keyingtries","%s",param->keying_tries); //connections.<conn>.unique //connections.<conn>.reauth_time vici_add_key_valuef(req,"reauth_time","%s",param->ike_reauth_time); //connections.<conn>.rekey_time vici_add_key_valuef(req,"rekey_time","%s",param->ike_rekey_time); //connections.<conn>.over_time //connections.<conn>.rand_time //connections.<conn>.pools //Section for a local authentication round ( local<suffix>, the <suffix> is optional ) vici_begin_section(req,"local"); //connections.<conn>.local.round //connections.<conn>.local.certs vici_begin_list(req,"certs"); vici_add_list_item(req, cert.ptr, cert.len); chunk_free(&cert); vici_end_list(req); //connections.<conn>.local.pubkeys //connections.<conn>.local.auth //vici_add_key_valuef(req,"auth","%s","eap"); //were only using IKEv2 EAP //vici_add_key_valuef(req,"auth","%s","pubkey"); vici_add_key_valuef(req,"auth","%s",param->left_auth); //connections.<conn>.local.id vici_add_key_valuef(req,"id","%s",param->local_id); //connections.<conn>.local.eap_id if( strlen( param->eap_id ) ) {//eap_id is available vici_add_key_valuef(req,"eap_id","%s",param->eap_id); } //connections.<conn>.local.aaa_id //connections.<conn>.local.xauth_id vici_end_section(req); //section end for local //Section for a remote authentication round ( remote<suffix>, the <suffix> is optional ) vici_begin_section(req,"remote"); //connections.<conn>.remote.round //connections.<conn>.remote.id vici_add_key_valuef(req,"id","%s",param->remote_id); //connections.<conn>.remote.groups //connections.<conn>.remote.certs //connections.<conn>.remote.cacerts //connections.<conn>.remote.pubkeys //connections.<conn>.remote.revocation vici_add_key_valuef(req,"revocation","%s","relaxed"); //connections.<conn>.remote.auth vici_add_key_valuef(req,"auth","%s","pubkey"); vici_end_section(req); //section end for remote //CHILD_SA configuration sub-section ( <child> = <conn>, for now ) vici_begin_section(req,"children"); vici_begin_section(req,param->conn_name); //connections.<conn>.children.<child>.ah_proposals //connections.<conn>.children.<child>.esp_proposals create_list_for_proposals( req, "esp_proposals", param->esp_proposals ); //connections.<conn>.children.<child>.local_ts //note: allow peer to set IP address and mask vici_begin_list(req,"local_ts"); // vici_add_list_itemf(req,"%s","172.16.207.251"); vici_add_list_itemf(req,"%s","dynamic"); vici_end_list(req); //connections.<conn>.children.<child>.remote_ts //note: allow peer to set IP address and mask vici_begin_list(req,"remote_ts"); //???tony, need to change because it could be a list (comma seperated) child_remote_ts[BUF_LEN] if( strlen( param->child_remote_ts ) ) vici_add_list_itemf(req,"%s",param->child_remote_ts); else vici_add_list_itemf(req,"%s","dynamic"); // vici_add_list_itemf(req,"%s","172.16.207.150"); // vici_add_list_itemf(req,"%s","0.0.0.0/0"); //for IPv4 // vici_add_list_itemf(req,"%s","0.0.0.0/0,0::0"); //for IPv6 // vici_add_list_itemf(req,"%s","dynamic"); vici_end_list(req); //connections.<conn>.children.<child>.rekey_time vici_add_key_valuef(req,"rekey_time","%s",param->child_rekey_time); //connections.<conn>.children.<child>.life_time //connections.<conn>.children.<child>.rand_time //connections.<conn>.children.<child>.rekey_bytes //connections.<conn>.children.<child>.life_bytes //connections.<conn>.children.<child>.rand_bytes //connections.<conn>.children.<child>.rekey_packets //connections.<conn>.children.<child>.life_packets //connections.<conn>.children.<child>.rand_packets //connections.<conn>.children.<child>.updown vici_add_key_valuef(req,"updown","%s","/usr/lib32/ipsec/_updown_tdy.py"); //connections.<conn>.children.<child>.hostaccess //connections.<conn>.children.<child>.mode vici_add_key_valuef(req,"mode","%s","tunnel"); //connections.<conn>.children.<child>.dpd_action //vici_add_key_valuef(req,"dpd_action","%s","clear"); //vici_add_key_valuef(req,"dpd_action","%s","restart"); vici_add_key_valuef(req,"dpd_action","%s",param->child_dpd_action); //connections.<conn>.children.<child>.policies //connections.<conn>.children.<child>.dpd_action //connections.<conn>.children.<child>.ipcomp //connections.<conn>.children.<child>.inactivity //connections.<conn>.children.<child>.reqid //connections.<conn>.children.<child>.mark_in //connections.<conn>.children.<child>.mark_out //connections.<conn>.children.<child>.tfc_padding //connections.<conn>.children.<child>.replay_window //connections.<conn>.children.<child>.start_action //connections.<conn>.children.<child>.close_action vici_end_section(req); //section end for child / connection vici_end_section(req); //section end for child vici_end_section(req); //section end for connection res = vici_submit(req, conn); if( !res) { printf("load connection failed :%s \n", strerror(errno)); return 1; } if (!streq(vici_find_str(res,"no","success"),"yes")) { printf("loading connection %s failed : %s \n", "myserver", vici_find_str(res,"","errmsg")); return 1; } else { printf("loaded connection %s \n","myserver"); vici_free_res(res); } return 0; } -----Original Message----- From: Tobias Brunner <tob...@strongswan.org> Sent: Friday, November 16, 2018 1:45 AM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert Hi Anthony, > !!!Selected user cert is CN=TDY Test SCA 4 > 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate > \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test > SCA 4\" key: 2048 bit RSA That's the server's certificate, selected to verify the authentication. > 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer > certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems > Engineering, C=US\' > !!! ? why did TLS send SCA 1 cert That certificate is selected based on the identity (whatever it is you configured). If a private key is loaded for this key and identity, why shouldn't it be selected? Did you perhaps use the same key for different identities (or use the same identity for different keys)? Also, how does your configuration actually look like? Regards, Tobias