https://bugs.kde.org/show_bug.cgi?id=429639
Bug ID: 429639
Summary: Strongswan connection editor adds an empty certificate
parameter
Product: plasma-nm
Version: 5.19.5
Platform: Kubuntu Packages
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: editor
Assignee: jgrul...@redhat.com
Reporter: andy...@mail.ru
Target Milestone: ---
SUMMARY
When saving a Strongswan VPN connection (EAP, with username/password and no
certificate), the connection editor creates a "certificate=" line with no value
in the "[vpn]" section of the connection config. As a result, NetworkManager
passes an empty certificate path to Strongswan, which fails to load the
certificate, and thus fail the connection process.
This was not a problem with NetworkManager 1.22.10 and earlier, but it has
become a problem with 1.26.2. Presumably, older versions contained a workaround
which has been removed. As a result, the connection configs that worked in
Kubuntu 20.04 stopped working after upgrade to 20.10.
STEPS TO REPRODUCE
1. Create a Strongswan VPN connection. Input Gateway address, select EAP
authentication method, input username and password. Leave certificate field
empty.
2. Go to the created connection settings and change them. For example, enable
this connection for all users in the General settings tab. Keep the certificate
field empty. Click Apply.
3. Navigate to the connection config file in
/etc/NetworkManager/system-connections. Check if it has a "certificate=" line
in the "[vpn]" section.
4. Try to establish the connection.
OBSERVED RESULT
In step 3, I can see the "certificate=" line.
In step 4, the connection fails to establish. There are the following lines in
syslog:
25 Nov 2020 01:01:41 NetworkManager <info> [1606255301.5949] audit:
op="connection-activate" uuid="ef38a0ab-5255-4a0b-a56d-b65efad01750"
name="MySwanVPN" pid=4287 uid=1000 result="success"
25 Nov 2020 01:01:41 NetworkManager <info> [1606255301.5978]
vpn-connection[0x5645cdeb6500,ef38a0ab-5255-4a0b-a56d-b65efad01750,"MySwanVPN",0]:
Saw the service appear; activating connection
25 Nov 2020 01:01:41 charon-nm 05[CFG] received initiate for
NetworkManager connection MySwanVPN
25 Nov 2020 01:01:41 charon-nm 05[LIB] opening '' failed: No such
file or directory
25 Nov 2020 01:01:41 charon-nm 05[LIB] building CRED_CERTIFICATE -
X509 failed, tried 6 builders
25 Nov 2020 01:01:41 NetworkManager <warn> [1606255301.6040]
vpn-connection[0x5645cdeb6500,ef38a0ab-5255-4a0b-a56d-b65efad01750,"MySwanVPN",0]:
VPN connection: failed to connect: 'Loading gateway certificate failed.'
EXPECTED RESULT
No empty "certificate=" line should be added, the connection should succeed.
SOFTWARE/OS VERSIONS
Operating System: Kubuntu 20.10
KDE Plasma Version: 5.19.5
KDE Frameworks Version: 5.74.0
Qt Version: 5.14.2
NetworkManager version: 1.26.2
Kernel Version: 5.8.0-29-lowlatency
OS Type: 64-bit
Processors: 8 × Intel® Core™ i7-2600K CPU @ 3.40GHz
Memory: 15.6 GiB of RAM
Graphics Processor: GeForce RTX 2080 Ti/PCIe/SSE2
ADDITIONAL INFORMATION
One workaround is to remove the "certificate=" line from the connection config
and then reboot (since NetworkManager loads configs on boot and doesn't reload
them on connection). But this has to be done every time you change something in
the connection editor, since it will add this line again every time it saves
the config.
Another workaround is to downgrade NetworkManager to 1.22.10 or older, but this
may be problematic as it will likely break package dependencies on the system.
--
You are receiving this mail because:
You are watching all bug changes.
