Charon-nm not able to find TLS certificate

[jonax69]

Hi, maybe someone can help me trying to figure out with NetworkManager and Strongswan's IKEv2 EAP-TLS authentication. At work we have some firewall appliances acting as IKEv2 endpoints, and user authentication is done with Microsoft NPS (Radius). User certificates are enrolled by an internal CA and deployed either with autoenroll (Windows 10) or exported manually (Linux).
There are no problems on Windows 10 clients and everyone connects and authenticates ok. The same with Linux clients when using ipsec service, but if we try to use the NetworkManager applet we run into trouble.
It complains about not finding the "TLS peer certificate for" the identity of the user after validating the other vpn endpoint certificates and the radius' one.
It's a pity that we must include the identity on the applet, but if we leave itself, the CN of the certificate will be used and our fw appliances won't interpret correctly the user, so no posterior radius check can be done and fails.

Here are some relevant files:

ipsec:
ipsec.conf.txt
ipsec.secrets.txt
charon_debug.log

charon_nm:
VPN_TUNEL.nmconnection.txt
syslog.txt

Private key is decrypted and cert information is as attached:
user_cert.openssl.txt

I followed what was recommended in this link of serverfault.com changing one of the SANs with no luck.

Tests are done on a fresh Ubuntu 21.01 with Strongswan 5.9.1-1ubuntu1 and Strongswan-nm 5.9.1-1ubuntu1

Thanks in advance

EDIT: corrected error on pseudonimization in user_cert.openssl.txt as quoted by @tobiasbrunner

[tobiasbrunner]

Does the SAN actually match the identity you configured? (In your modified output it doesn't.) You could also try increasing the log level for tls (via charon-nm.syslog.daemon.tls in strongswan.conf) to see what's going on during the handshake.

[tobiasbrunner]

I compiled both 437-nm-cert and NetworkManager-strongswan-1.5.2

Ah, did you mean the source tarball from here? If so, then that's the same thing as what you find in src/frontends/gnome.

I've realised that the 437-nm-cert message is slightly different from the previous one.

Yes, the TLS library changed quite a bit with 5.9.2.

Unfortunately, I can't reproduce this. Works fine here with any SAN. Maybe it's an issue with your particular certificate or key.

[jonax69]

Don't worry, thanks for all your efforts! If I finally get it working I'll write back for future reference

[tobiasbrunner]

If you want, you can send me the certificate and key via email and I'll have a look (use this key if you want to do so encrypted).

[jonax69]

success! it works as you stated. User error, I didn't change to the branch after cloning the repo 🤦 Sorry for making you lose your time.

Just to know, is there any chance that this feature can be added officially on future releases?

[tobiasbrunner]

No problem, great you got it working eventually.

Just to know, is there any chance that this feature can be added officially on future releases?

Yes, it will be included in the next release (8dbf40d is now in master). However, it will take some time until that version makes it to distros.