[strongSwan] NetworkManager-strongswan-gnome IKEv2 configuration question.

Josh jvpn at use.startmail.com
Mon Jan 21 04:44:33 CET 2019

Hello Tobias,

Thanks for the explanation. The observed behavior creates severe 
usability problems compare to all other desktop and mobile devices with 
don't require custom certificate in this case.
All systems/devices I tried connecting to this server with successfully 
found DST Root certificate in OS/device certificate storage.

Is there any reason strongSwan can't utilize linux system default 
certificates like curl, wget and possibly others do?


On 1/17/19 9:03 AM, Tobias Brunner wrote:
> Hi Josh,
>> Question: why do I need do explicitly extract letsencrypt parent
>> Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
>> certificate from /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
>> (found after # DST Root CA X3) and load into configuration dialog?
> strongSwan only extracts the first certificate from a file.  So if you
> don't have a directory on your system with individual CA certificates
> you have to do that manually.  The path used by the NM backend if no CA
> certificate is configured explicitly, is configurable via configure
> script (--with-nm-ca-dir) and config (charon-nm.ca_dir) and defaults to
> /usr/share/ca-certificates.
> Regards,
> Tobias

More information about the Users mailing list