A quick question about CA certs in the context of cert based auth.
I've got two tunnels on same server like this, using different certificates
(all of them, for each connection are different from the other connection's).
Reason: one client is strongSwan and supports EC certs, the other client only
does RSA.
This one uses RSA certs:
connections {
rsa_tunnel {
local_addrs = 139.0.0.1
remote_addrs = 89.0.0.1
version = 2
proposals = aes128-sha256-ecp256
local {
auth = pubkey
certs = lintun_server.crt
}
remote {
auth = pubkey
cacerts = lintun_CA.crt
}
children {
xxx {
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
mode = transport
esp_proposals = aes128-sha256-ecp256
}
}
}
}
And this one uses EC certs:
connections {
ec_tunnel {
local_addrs = 139.0.0.1
remote_addrs = 172.0.0.1
version = 2
proposals = aes128-sha256-ecp256
local {
auth = pubkey
certs = ec_tunnel_server.crt
}
remote {
auth = pubkey
cacerts = ec_tunnel_CA.crt
}
children {
zzz {
mode = transport
esp_proposals = aes128gcm128-x25519
}
}
}
}
Now when strongSwan negotiates authentication, I see that it asks either client
for either CA:
Mar 14 16:28:40 charon-systemd[12802]: sending cert request for "C=RU,
O=RsaTunnel, OU=CA"
Mar 14 16:28:40 charon-systemd[12802]: sending cert request for "C=RU,
O=EcTunnel, OU=CA"
It seems to me that at this point the server should already know which
connection "block" it's dealing with - and so which CA cert it will need from
the client.
One CA cert, not all CA certs in all configured connections, right?
Also does the above mean that either client can authenticate through either CA
cert, even the other connection's?
--
Kostya Vasilyev
[email protected]
