[strongSwan] Ubuntu CLI client works Network Manager fails

Tobias Brunner tobias at strongswan.org
Fri Dec 1 14:47:04 CET 2017


Hi Alex,

> # Where is this coming from ? The cert on vpn.york.ac.uk
> lives on a host called vpn10.york.ac.uk
>  and has multiple SubjAlt Name entries for all
> the real vpn servers we might want to use the cert on.
> # Think this is "wrong " message, 
> Dec  1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not
> match to 'vpn.york.ac.uk'
> Dec  1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert
> 'access denied'

That's the certificate provided by the RADIUS server during EAP-PEAP.
As you can't specify an AAA identity with the NM frontend the server's
IKE identity (i.e. the hostname) must be contained as subjecAltName in
that certificate too.

Regards,
Tobias


More information about the Users mailing list