ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurations
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	lucasec
	Dec 29 2023, 5:59 AM

Description

For authentication methods that depend on validating a client certificate against a CA (e.g. EAP-TLS), we currently do not explicitly tell strongswan which CA to use. All CAs configured for any remote access VPN configuration are loaded into strongswan so one remote access configuration will accept a client certificate signed by the CA configured on another connection.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Improvement (missing useful functionality)

Event Timeline

lucasec created this task.Dec 29 2023, 5:59 AM

lucasec created this object in space S1 VyOS Public.

pasik added a subscriber: pasik.Dec 29 2023, 9:45 AM

dmbaturin closed this task as Resolved.Apr 12 2024, 2:44 PM

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta.

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.Sat, May 11, 5:24 PM

dmbaturin changed Issue type from Unspecified (please specify) to Improvement (missing useful functionality).

ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurationsClosed, ResolvedPublicActions

Description

Details

Event Timeline

ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurations
Closed, ResolvedPublic
Actions