o.k deleted source tree and started again. It now looks as if there's a difference between what happens when talking to the RADIUS server used by the VPN server
Below is a snippet from /var/log/syslog for the charon-nm process. As before CLI VPN connections just work. I've run the following ./configured ./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp --enable-openssl --enable-nm --enable-agent --enable-eap-mschapv2 --enable-eap-identity --enable-curl --enable-eap-peap --with-nm-ca-dir=/etc/ssl/certs I've created a network manager config called Alex99, specifying a gateway server FQDN of vpn.york.ac.uk with no cert specified and client authentication of EAP, specifying my account ( as1...@york.ac.uk) On the VPN server both the CLI initiated VPN connection and the Network manager initiated one use the same VPN server connection definition # # Initiating vpn connection request from network manager # .. to server vpn.york.ac.uk # Dec 1 10:40:13 deadpool charon-nm: 05[CFG] received initiate for NetworkManager connection Alex99 Dec 1 10:40:13 deadpool charon-nm: 05[CFG] C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3 is not self signed Dec 1 10:40:13 deadpool charon-nm: 05[CFG] C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Organization Validation Secure Server CA is not self signed Dec 1 10:40:13 deadpool charon-nm: 05[CFG] using CA certificate, gateway identity 'vpn.york.ac.uk' Dec 1 10:40:13 deadpool charon-nm: 05[IKE] initiating IKE_SA Alex99[6] to 144.32.128.199 Dec 1 10:40:13 deadpool charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Dec 1 10:40:13 deadpool charon-nm: 05[NET] sending packet: from 144.32.230.152[45805] to 144.32.128.199[500] (752 bytes) Dec 1 10:40:13 deadpool charon-nm: 08[NET] received packet: from 144.32.128.199[500] to 144.32.230.152[45805] (38 bytes) Dec 1 10:40:13 deadpool charon-nm: 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Dec 1 10:40:13 deadpool charon-nm: 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 Dec 1 10:40:13 deadpool charon-nm: 08[IKE] initiating IKE_SA Alex99[6] to 144.32.128.199 Dec 1 10:40:13 deadpool charon-nm: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Dec 1 10:40:13 deadpool charon-nm: 08[NET] sending packet: from 144.32.230.152[45805] to 144.32.128.199[500] (944 bytes) Dec 1 10:40:13 deadpool charon-nm: 09[NET] received packet: from 144.32.128.199[500] to 144.32.230.152[45805] (464 bytes) Dec 1 10:40:13 deadpool charon-nm: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Dec 1 10:40:13 deadpool charon-nm: 09[IKE] faking NAT situation to enforce UDP encapsulation # # Why does charon do this ? these certs are located in /etc/ipsec.d/cacerts on the client machine. # # Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3" Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Organization Validation Secure Server CA" Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3" # # # Dec 1 10:40:13 deadpool charon-nm: 09[IKE] establishing CHILD_SA Alex99{6} Dec 1 10:40:13 deadpool charon-nm: 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Dec 1 10:40:13 deadpool charon-nm: 09[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (412 bytes) Dec 1 10:40:13 deadpool charon-nm: 10[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1248 bytes) Dec 1 10:40:13 deadpool charon-nm: 10[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ] Dec 1 10:40:13 deadpool charon-nm: 10[ENC] received fragment #1 of 3, waiting for complete IKE message Dec 1 10:40:13 deadpool charon-nm: 11[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1248 bytes) Dec 1 10:40:13 deadpool charon-nm: 11[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ] Dec 1 10:40:13 deadpool charon-nm: 11[ENC] received fragment #2 of 3, waiting for complete IKE message Dec 1 10:40:13 deadpool charon-nm: 12[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (128 bytes) Dec 1 10:40:13 deadpool charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ] Dec 1 10:40:13 deadpool charon-nm: 12[ENC] received fragment #3 of 3, reassembling fragmented IKE message Dec 1 10:40:13 deadpool charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Dec 1 10:40:13 deadpool charon-nm: 12[IKE] received end entity cert "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN= vpn.york.ac.uk" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using certificate "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN= vpn.york.ac.uk" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using trusted intermediate ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] checking certificate status of "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN= vpn.york.ac.uk" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response is valid: until Dec 03 09:49:51 2017 Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using cached ocsp response Dec 1 10:40:13 deadpool charon-nm: 12[CFG] certificate status is good Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using trusted ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] checking certificate status of "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response verification failed, invalid signature Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature" Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response is valid: until Dec 03 09:49:51 2017 Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using cached ocsp response Dec 1 10:40:13 deadpool charon-nm: 12[CFG] certificate status is good # # Should I worry about this ? its a normal server cert # Dec 1 10:40:13 deadpool charon-nm: 12[CFG] certificate policy 1.3.6.1.4.1.8024.0.2.100.1.1 for 'C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=vpn.york.ac.uk' not allowed by trustchain, ignored Dec 1 10:40:13 deadpool charon-nm: 12[CFG] reached self-signed root ca with a path length of 1 Dec 1 10:40:13 deadpool charon-nm: 12[IKE] authentication of ' vpn.york.ac.uk' with RSA_EMSA_PKCS1_SHA2_256 successful # # So at his point the client recognises vpn.york.ac.uk as a valid certificate # ... so start the EAP-PEAP authentication # Dec 1 10:40:13 deadpool charon-nm: 12[IKE] server requested EAP_IDENTITY (id 0x00), sending 'as1...@york.ac.uk' Dec 1 10:40:13 deadpool charon-nm: 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] Dec 1 10:40:13 deadpool charon-nm: 12[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (92 bytes) Dec 1 10:40:13 deadpool charon-nm: 13[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (76 bytes) Dec 1 10:40:13 deadpool charon-nm: 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 13[IKE] server requested EAP_PEAP authentication (id 0x01) Dec 1 10:40:13 deadpool charon-nm: 13[TLS] EAP_PEAP version is v1 Dec 1 10:40:13 deadpool charon-nm: 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 13[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (268 bytes) Dec 1 10:40:13 deadpool charon-nm: 14[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes) Dec 1 10:40:13 deadpool charon-nm: 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 14[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Dec 1 10:40:13 deadpool charon-nm: 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 14[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes) Dec 1 10:40:13 deadpool charon-nm: 15[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes) Dec 1 10:40:13 deadpool charon-nm: 15[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 15[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 15[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes) Dec 1 10:40:13 deadpool charon-nm: 16[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes) Dec 1 10:40:13 deadpool charon-nm: 16[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 16[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 16[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes) Dec 1 10:40:13 deadpool charon-nm: 06[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes) Dec 1 10:40:13 deadpool charon-nm: 06[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/PEAP ] # # Where is this coming from ? The cert on vpn.york.ac.uk lives on a host called vpn10.york.ac.uk and has multiple SubjAlt Name entries for all the real vpn servers we might want to use the cert on. # Think this is "wrong " message, Dec 1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not match to 'vpn.york.ac.uk' Dec 1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert 'access denied' # # So I guess its failed now. Now looking at the RADIUS sever end I can see a failed eap-peap auth request for my userid # Dec 1 10:40:13 deadpool charon-nm: 06[ENC] generating IKE_AUTH request 7 [ EAP/RES/PEAP ] Dec 1 10:40:13 deadpool charon-nm: 06[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (92 bytes) Dec 1 10:40:15 deadpool charon-nm: 07[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (76 bytes) Dec 1 10:40:15 deadpool charon-nm: 07[ENC] parsed IKE_AUTH response 7 [ EAP/FAIL ] Dec 1 10:40:15 deadpool charon-nm: 07[IKE] received EAP_FAILURE, EAP authentication failed Dec 1 10:40:15 deadpool charon-nm: 07[ENC] generating INFORMATIONAL request 8 [ N(AUTH_FAILED) ] Dec 1 10:40:15 deadpool charon-nm: 07[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes) on the VPN server I can see that the same service definition is being used. On the RADIUS server I can see one connection from the VPN client succeeding and one failing How can I increase charon-nm debugging on the client to see what its doing? Setting charondebug doesn't seem to do anything for network manager iVPN initiations Rgds Alex On 1 December 2017 at 09:40, Tobias Brunner <tob...@strongswan.org> wrote: > Hi Alex, > > > What do i have to do to make the plugin use my new value ? > > No idea. Just make sure the executables you built are actually the ones > that are installed and get executed. Alternatively, you may also > configure the directory via charon-nm.ca_dir in strongswan.conf. > > Regards, > Tobias >