ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurations
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	lucasec
	Dec 29 2023, 5:59 AM

Description

For authentication methods that depend on validating a client certificate against a CA (e.g. EAP-TLS), we currently do not explicitly tell strongswan which CA to use. All CAs configured for any remote access VPN configuration are loaded into strongswan so one remote access configuration will accept a client certificate signed by the CA configured on another connection.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Unspecified (please specify)

Event Timeline

lucasec created this task.Dec 29 2023, 5:59 AM

lucasec created this object in space S1 VyOS Public.

pasik added a subscriber: pasik.Dec 29 2023, 9:45 AM

dmbaturin closed this task as Resolved.Fri, Apr 12, 2:44 PM

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta.

ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurationsClosed, ResolvedPublicActions

Description

Details

Event Timeline

ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurations
Closed, ResolvedPublic
Actions