[strongSwan] eap-mschapv2 NetworkManager

Tobias Brunner tobias at strongswan.org
Tue Oct 12 13:40:18 CEST 2010

Hi Peter,

> 2.) However, with an ubuntu 10.10 box, with the new stable packages, I
> can not establish a connection.
> I think something is broken (both, EAP and certificate authentication).
> Can someone please confirm this?

Unfortunately, the package currently included in Ubuntu 10.10
(4.4.0-2ubuntu1) is broken.  The current package in Debian (4.4.1-5) is
fine however, so whenever that gets adopted in Ubuntu it should work again.

The actual problem is that in the broken package all three socket
implementations (socket-default, socket-dynamic, socket-raw) are
compiled and loaded.  This somehow prevents charon from receiving any
packets at all.  The three plugins are all used in different scenarios:
 socket-default in case only IKEv2 is used, socket-dynamic for a special
use case with dynamic ports and finally socket-raw which is used for
mixed setups, with the IKEv1 daemon pluto running on the same host.
For distributions socket-raw is in most cases the right choice.

As a workaround you can explicitly specify the plugins to load in
strongswan.conf (charon.load option).  The default list of plugins can
be retrieved from the log file (or by starting the daemon with "ipsec
start --nofork").  From that list remove the two unneeded socket
implementations, so only socket-raw gets loaded (or socket-default, if
you don't use IKEv1).


More information about the Users mailing list