[strongSwan] Ubuntu CLI client works Network Manager fails

Tobias Brunner tobias at strongswan.org
Fri Dec 1 15:34:29 CET 2017

Hi Alex,

> so you're saying that my radius server also needs to have vpn.york.ac.uk
> as a SubjAltName in it as well ?

Yes, that's one option.  Not using the NM plugin is another.  With the
config files you can set the AAA identity to vpn.york.ac.uk so it
matches the certificate (or %any so any identity is accepted, the RADIUS
server's certificate just has to be trusted).  You can also patch
charon-nm so it sets the AAA identity, or make it even configurable in
the GUI.

You can also not use EAP-PEAP and just authenticate the clients with
EAP-MSCHAPv2/MD5/GTC directly (and if necessary secure the connection
between VPN and RADIUS server with IPsec).


More information about the Users mailing list