[strongSwan] EAP-MSCHAPV2/PEAP client connection from Network Manager

Tobias Brunner tobias at strongswan.org
Wed Apr 17 08:48:51 CEST 2019

Hi Chris,

The NM plugin currently does not provide an option to configure the
expected AAA server identity.  So the IKE identity is reused and
enforced.  This will fail if the AAA server uses a different identity
during EAP-PEAP/(T)TLS:

> [IKE] authentication of 'CN=vpn.company.com' with RSA signature successful
> ...
> [TLS] server certificate does not match to 'CN=vpn.company.com'

> What we found key was the leftauth method has to be eap-mschapv2. That
> doesn't seem to be avavailbe in the network manager config.

While the authentication method can't be configured explicitly in the NM
plugin, you can prevent the ẹap-peap plugin from getting loaded so plain
EAP-MSCHAPv2 will be used.  To do so configure
charon-nm.plugins.eap-peap.load = no in strongswan.conf (note that this
requires at least 5.5.0 to work, in older releases the complete list of
plugins has to be provided in charon-nm.load, see [1] for details).


[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

More information about the Users mailing list