[strongSwan] Ubuntu CLI client works Network Manager fails

Alex Sharaz alex.sharaz at york.ac.uk
Thu Nov 30 13:09:03 CET 2017 

Hi,
I've just built SSwan from 5.6.1 source and tried to build a Network
manager plugin ( Ubuntu . 16.04.3 ) . Unfortunately although my CLI
settings work, my NM plugin fails every time.

I've built sswan using

./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
--disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2
--disable-fips-prf --disable-gmp --enable-openssl --enable-nm
--enable-agent --enable-eap-mschapv2 --enable-eap-identity --enable-curl
--enable-eap-peap --with-nm-ca-dir=/etc/ipsec.d/cacerts

where --with-nm-ca-dir points to the directory with the root and
intermediate CA files for our sswan server

I also set /etc/strongswan.conf

charon-nm.ca_dir = /etc/ipsec.d/cacerts

When building Network manager plugin I use

./configure --sysconfdir=/etc --prefix=/usr
--with-charon=/usr/lib/ipsec/charon-nm


>From the command line everything works and I can establish a VPN
However from the NM plugin it fails every time. looking in /var/log/syslog,
I find the following charon-nm logs

ons/Alex4 (a58e8483-c113-4143-a7d2-08c8cbbb1ff3,"Alex4")
Nov 30 12:05:11 deadpool NetworkManager[32238]: <info>  [1512043511.1766]
vpn-connection[0xfcf760,a58e8483-c113-4143-a7d2-08c8cbbb1ff3,"Alex4",0]:
VPN connection: (ConnectInteractive) reply received
Nov 30 12:05:11 deadpool charon-nm: 05[CFG] received initiate for
NetworkManager connection Alex4
Nov 30 12:05:11 deadpool charon-nm: 05[LIB] opening directory
'/usr/ssl-certs/mozilla' failed: No such file or directory
Nov 30 12:05:11 deadpool charon-nm: 05[CFG] using CA certificate, gateway
identity 'vpn.york.ac.uk'
Nov 30 12:05:11 deadpool charon-nm: 05[IKE] initiating IKE_SA Alex4[9] to
144.32.128.199
Nov 30 12:05:11 deadpool charon-nm: 05[ENC] generating IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
]
Nov 30 12:05:11 deadpool charon-nm: 05[NET] sending packet: from
144.32.230.152[53229] to 144.32.128.199[500] (75

Now the thin is that in a pervious build I had
--with-nm-ca-dir=/etc/ssl-certs/mozilla

So whatever I'm doing now is still picking up that value instead of looking
in /etc/ipsec.d/cacerts.

I've done a make distclean in both the strongswan source and the network
manager source. before running ./configure... ; make;make install

What do i have to do to make the plugin use my new value ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171130/09de2e41/attachment.html>

More information about the Users mailing list