T5871: ipsec remote access VPN: specify "cacerts" for client auth (backport #2708)

[mergify]

Change Summary

For authentication methods that depend on validating a client certificate against a CA (e.g. EAP-TLS), we currently do not explicitly tell strongswan which CA to use. This PR specifies the cacerts option explicitly for every connection to ensure the connection only accepts certificates signed by its specific CA.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T5871

Related PR(s)

N/A

Component(s) name

ipsec remote-access

Proposed changes

The configured CA certificate fro the connection is added to the swanctl.conf connection definition using the cacerts option.

How to test

Example configuration:

[edit vpn ipsec remote-access connection ClientVPN]
lucas@lcn-router# show
 authentication {
     client-mode eap-tls
     local-id <local id>
     server-mode x509
     x509 {
         ca-certificate <ca certificate name>
         certificate <server certificate name>
     }
 }
 local-address <router IP address>
 ...

Validate that /etc/swanctl/swanctl.conf specifies cacerts = <ca certificate name>_1.pem under remote.

Smoketest result

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

---

This is an automatic backport of pull request #2708 done by [Mergify](https://mergify.com).