[strongSwan] Ubuntu CLI client works Network Manager fails

Alex Sharaz alex.sharaz at york.ac.uk
Mon Dec 4 11:08:02 CET 2017

So, from the documentation on the Network plugin

...If you configure the gateway certificate directly on the clients, there
are no requirements to the certificate. If you deploy CA certificates
(supported since 4.3.1
<https://wiki.strongswan.org/projects/strongswan/wiki/431>), the gateway
certificate will need a *subjectAltName* including the host name of the
gateway (the same you enter in the clients configuration). ......

So if my client is connecting to vpn.york.ac.uk, the cert that needs
installing is vpn.york.ac.uk ..... swhere /etc/ipsed.d/aacerts
/etc/ipsed.d/certs ?


On 1 December 2017 at 16:05, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:

> or I could install freeradius on the strongswan server and let it handle
> the eap side of things and then there is a virtual server that proxies off
> the inner tunnel stuff to another server for authentication. That way the
> radius server uses the strongswan server cert  so we don't have this
> problem.
> Would be better than changing code and sswan config still uses eap-radius
> but points to itself
> A
> On 1 December 2017 at 15:21, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
>> o.k lots of options ...
>> Think I need the charon-nm for our Ubuntu network manager users .. keeps
>> it simple
>> Think Il'l try patching charon-nm first
>> Thanks
>> A
>> On 1 December 2017 at 14:34, Tobias Brunner <tobias at strongswan.org>
>> wrote:
>>> Hi Alex,
>>> > so you're saying that my radius server also needs to have
>>> vpn.york.ac.uk
>>> > as a SubjAltName in it as well ?
>>> Yes, that's one option.  Not using the NM plugin is another.  With the
>>> config files you can set the AAA identity to vpn.york.ac.uk so it
>>> matches the certificate (or %any so any identity is accepted, the RADIUS
>>> server's certificate just has to be trusted).  You can also patch
>>> charon-nm so it sets the AAA identity, or make it even configurable in
>>> the GUI.
>>> You can also not use EAP-PEAP and just authenticate the clients with
>>> EAP-MSCHAPv2/MD5/GTC directly (and if necessary secure the connection
>>> between VPN and RADIUS server with IPsec).
>>> Regards,
>>> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171204/7f88a250/attachment.html>

More information about the Users mailing list