[strongSwan] Ubuntu CLI client works Network Manager fails
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Dec 1 15:08:27 CET 2017
So just to check, our radius server has a cert with a CN=radius.york.ac.uk
and its SubjAltNames are
X509v3 Subject Alternative Name:
DNS:radius.york.ac.uk, DNS:www.radius.york.ac.uk
so you're saying that my radius server also needs to have vpn.york.ac.uk as
a SubjAltName in it as well ?
If so, really really don't want to do that
A
On 1 December 2017 at 13:47, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Alex,
>
> > # Where is this coming from ? The cert on vpn.york.ac.uk
> > lives on a host called vpn10.york.ac.uk
> > and has multiple SubjAlt Name entries for all
> > the real vpn servers we might want to use the cert on.
> > # Think this is "wrong " message,
> > Dec 1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not
> > match to 'vpn.york.ac.uk'
> > Dec 1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert
> > 'access denied'
>
> That's the certificate provided by the RADIUS server during EAP-PEAP.
> As you can't specify an AAA identity with the NM frontend the server's
> IKE identity (i.e. the hostname) must be contained as subjecAltName in
> that certificate too.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171201/c630655d/attachment.html>
More information about the Users
mailing list