Page MenuHomeVyOS Platform
Create Task
Maniphest T5871

ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurations
Closed, ResolvedPublic
Actions

Description

For authentication methods that depend on validating a client certificate against a CA (e.g. EAP-TLS), we currently do not explicitly tell strongswan which CA to use. All CAs configured for any remote access VPN configuration are loaded into strongswan so one remote access configuration will accept a client certificate signed by the CA configured on another connection.

Details

Version
-
Is it a breaking change?
Perfectly compatible

Related Objects

Event Timeline

lucasec created this task.Dec 29 2023, 5:59 AM
lucasec created this object in space S1 VyOS Public.
pasik subscribed.Dec 29 2023, 9:45 AM
Restricted Repository Identity mentioned this in rVYOSONEXd15db95d96ea: Merge pull request #3202 from sarthurdev/T5606_1.Mar 28 2024, 4:11 PM
sarthurdev mentioned this in rVYOSONEX952b1656f516: ipsec: T5606: T5871: Use multi node for CA certificates.Mar 28 2024, 4:11 PM
Restricted Repository Identity mentioned this in rVYOSONEX557694e1ab61: ipsec: T5606: T5871: Use multi node for CA certificates.Mar 28 2024, 4:11 PM
Restricted Repository Identity mentioned this in rVYOSONEX010c5890c9bd: Merge pull request #3205 from vyos/mergify/bp/sagitta/pr-3202.Mar 28 2024, 5:17 PM
Restricted Repository Identity mentioned this in rVYOSONEX041a57d69dc7: Merge pull request #2708 from lucasec/t5871.Apr 12 2024, 5:09 AM
lucasec mentioned this in rVYOSONEXecc83562b4d7: T5871: ipsec remote access VPN: specify "cacerts" for client auth..Apr 12 2024, 5:09 AM
Restricted Repository Identity mentioned this in rVYOSONEX7100a5797bce: T5871: ipsec remote access VPN: specify "cacerts" for client auth..Apr 12 2024, 9:13 AM
dmbaturin closed this task as Resolved.Apr 12 2024, 2:44 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta.
Restricted Repository Identity mentioned this in rVYOSONEX28983d57e6d1: Merge pull request #3298 from vyos/mergify/bp/sagitta/pr-2708.Apr 12 2024, 3:20 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.May 11 2024, 5:24 PM
dmbaturin changed Issue type from Unspecified (please specify) to improvement.
c-po mentioned this in rVYOSONEXe6fe6e50a5c8: op-mode: ipsec: T6407: fix profile generation.May 30 2024, 2:35 PM
Restricted Repository Identity mentioned this in rVYOSONEX55ae2ca0b17f: op-mode: ipsec: T6407: fix profile generation.May 30 2024, 2:36 PM