[strongSwan] Ubuntu CLI client works Network Manager fails

Alex Sharaz alex.sharaz at york.ac.uk
Fri Dec 1 15:08:27 CET 2017

So just to check, our radius server has a cert with a CN=radius.york.ac.uk
and its SubjAltNames are

  X509v3 Subject Alternative Name:
                DNS:radius.york.ac.uk, DNS:www.radius.york.ac.uk

so you're saying that my radius server also needs to have vpn.york.ac.uk as
a SubjAltName in it as well ?

If so, really really don't want to do that

On 1 December 2017 at 13:47, Tobias Brunner <tobias at strongswan.org> wrote:

> Hi Alex,
> > # Where is this coming from ? The cert on vpn.york.ac.uk
> > lives on a host called vpn10.york.ac.uk
> >  and has multiple SubjAlt Name entries for all
> > the real vpn servers we might want to use the cert on.
> > # Think this is "wrong " message,
> > Dec  1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not
> > match to 'vpn.york.ac.uk'
> > Dec  1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert
> > 'access denied'
> That's the certificate provided by the RADIUS server during EAP-PEAP.
> As you can't specify an AAA identity with the NM frontend the server's
> IKE identity (i.e. the hostname) must be contained as subjecAltName in
> that certificate too.
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171201/c630655d/attachment.html>

More information about the Users mailing list