Network Manager + Strongswan certificate error

Hello,

I am using Manjaro KDE and quite happy with it!

There is a small but very annoying bug somewhere between NetworkManager, networkmanager-strongswan and strongswan, in particular when configuring a VPN.

What happens is, leaving a blank field, for example “Certificate”, results in a wrongly added field without a value in the vpn.data setting of the vpn connection, in this case "certificate = ".
The same happens with all other fields.

I have tried the same in other distros and issue does not appear.

network-manager840×924 144 KB

vpn-data1904×88 40.4 KB

Here are the hardware and software info:

System:
  Kernel: 5.4.60-2-MANJARO x86_64 bits: 64 compiler: gcc v: 10.2.0 
  parameters: BOOT_IMAGE=/boot/vmlinuz-5.4-x86_64 
  root=UUID=62d25531-2c45-4d0c-99b4-4d33bef35d38 rw quiet apparmor=1 
  security=apparmor udev.log_priority=3 
  Desktop: KDE Plasma 5.19.4 tk: Qt 5.15.0 wm: kwin_x11 dm: SDDM 
  Distro: Manjaro Linux 
Machine:
  Type: Laptop System: Dell product: XPS 15 7590 v: N/A serial: <filter> 
  Chassis: type: 10 serial: <filter> 
  Mobo: Dell model: 0VYV0G v: A00 serial: <filter> UEFI: Dell v: 1.8.1 
  date: 07/03/2020 
Battery:
  ID-1: BAT0 charge: 40.6 Wh condition: 86.3/97.0 Wh (89%) volts: 11.3/11.4 
  model: SMP DELL GPM0365 type: Li-ion serial: <filter> status: Discharging 
CPU:
  Topology: 6-Core model: Intel Core i7-9750H bits: 64 type: MT MCP 
  arch: Kaby Lake family: 6 model-id: 9E (158) stepping: A (10) microcode: D6 
  L2 cache: 12.0 MiB 
  flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx 
  bogomips: 62431 
  Speed: 800 MHz min/max: 800/4500 MHz Core speeds (MHz): 1: 800 2: 801 3: 800 
  4: 800 5: 800 6: 800 7: 800 8: 800 9: 800 10: 800 11: 800 12: 800 
  Vulnerabilities: Type: itlb_multihit status: KVM: Split huge pages 
  Type: l1tf 
  mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable 
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable 
  Type: meltdown mitigation: PTI 
  Type: spec_store_bypass 
  mitigation: Speculative Store Bypass disabled via prctl and seccomp 
  Type: spectre_v1 
  mitigation: usercopy/swapgs barriers and __user pointer sanitization 
  Type: spectre_v2 mitigation: Full generic retpoline, IBPB: conditional, 
  IBRS_FW, STIBP: conditional, RSB filling 
  Type: srbds mitigation: Microcode 
  Type: tsx_async_abort status: Not affected 
Graphics:
  Device-1: Intel UHD Graphics 630 vendor: Dell driver: i915 v: kernel 
  bus ID: 00:02.0 chip ID: 8086:3e9b 
  Device-2: NVIDIA TU117M [GeForce GTX 1650 Mobile / Max-Q] 
  vendor: Hewlett-Packard driver: nvidia v: 440.100 
  alternate: nouveau,nvidia_drm bus ID: 01:00.0 chip ID: 10de:1f91 
  Device-3: Microdia Integrated_Webcam_HD type: USB driver: uvcvideo 
  bus ID: 1-12:4 chip ID: 0c45:6723 
  Display: x11 server: X.Org 1.20.8 compositor: kwin_x11 
  driver: modesetting,nvidia alternate: fbdev,intel,nouveau,nv,vesa 
  display ID: :0 screens: 1 
  Screen-1: 0 s-res: 1920x1080 s-dpi: 96 s-size: 508x285mm (20.0x11.2") 
  s-diag: 582mm (22.9") 
  Monitor-1: eDP-1 res: 1920x1080 hz: 60 dpi: 142 size: 344x194mm (13.5x7.6") 
  diag: 395mm (15.5") 
  OpenGL: renderer: Mesa Intel UHD Graphics 630 (CFL GT2) v: 4.6 Mesa 20.1.6 
  direct render: Yes 
Audio:
  Device-1: Intel Cannon Lake PCH cAVS vendor: Dell driver: snd_hda_intel 
  v: kernel alternate: snd_soc_skl,snd_sof_pci bus ID: 00:1f.3 
  chip ID: 8086:a348 
  Sound Server: ALSA v: k5.4.60-2-MANJARO 
Network:
  Device-1: Intel Wi-Fi 6 AX200 vendor: Bigfoot Networks driver: iwlwifi 
  v: kernel port: 3000 bus ID: 3b:00.0 chip ID: 8086:2723 
  IF: wlp59s0 state: up mac: <filter> 
  IF-ID-1: br-eb8013486af9 state: up speed: N/A duplex: N/A mac: <filter> 
  IF-ID-2: docker0 state: down mac: <filter> 
  IF-ID-3: veth8a97422 state: up speed: 10000 Mbps duplex: full mac: <filter> 
  IF-ID-4: veth9197c98 state: up speed: 10000 Mbps duplex: full mac: <filter> 
  IF-ID-5: vethd7b4e41 state: up speed: 10000 Mbps duplex: full mac: <filter> 
Drives:
  Local Storage: total: 484.66 GiB used: 87.28 GiB (18.0%) 
  SMART Message: Unable to run smartctl. Root privileges required. 
  ID-1: /dev/nvme0n1 vendor: SK Hynix model: PC601 NVMe 512GB size: 476.94 GiB 
  block size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 
  serial: <filter> rev: 80002111 scheme: GPT 
  ID-2: /dev/sda type: USB vendor: Generic model: Flash Disk size: 7.72 GiB 
  block size: physical: 512 B logical: 512 B serial: <filter> rev: 8.07 
  scheme: MBR 
  SMART Message: Unknown USB bridge. Flash drive/Unsupported enclosure? 
Partition:
  ID-1: / raw size: 195.62 GiB size: 191.55 GiB (97.92%) 
  used: 87.26 GiB (45.6%) fs: ext4 dev: /dev/nvme0n1p5 
Swap:
  Alert: No Swap data was found. 
Sensors:
  System Temperatures: cpu: 48.0 C mobo: N/A 
  Fan Speeds (RPM): N/A 
Info:
  Processes: 347 Uptime: 42m Memory: 15.28 GiB used: 3.00 GiB (19.7%) 
  Init: systemd v: 246 Compilers: gcc: 10.2.0 Packages: 1334 pacman: 1328 
  lib: 354 flatpak: 0 snap: 6 Shell: Zsh v: 5.8 running in: yakuake 
  inxi: 3.1.05 

Thanks!

I think I’m having the same issue, where can you find the vpn.data config?

Open a shell and write:

nmcli connection edit <YOUR_CONNECTION>

This will open the nmcli prompt in edit mode for the connection you specify.
You can type print to see all the values or print vpn.data where you will find your vpn parameters. Check if you have the following: certificate = , which will make it fail 100%.

Copy the whole vpn.data you just printed, edit it in any editor removing the certificate = , then you can replace it with the following:
remove vpn.data
set vpn.data <YOUR_CONFIG_WITHOUT_CERTIFICATE_HERE>
save
quit

Then try ```nmcli connection up <YOUR_CONNECTION> and see what it tells you. If it fails, you’ll receive a journal log pointer to see the log.

If you want to debug it, first type: sudo nmcli g log level

Hope it helps

I figured it out by editing the entry in /etc/NetworkManager/system-connections/ but that ended up needing a restart to make it work, your way seems way easier! Thank you anyway for pointing towards the certificate = entry, weird that this just happens on Manjaro, I think the devs should look into this.

Hey! What if everything seems to be configured correctly, but it still fails?

Here is my nmcli connection edit <YOUR_CONNECTION> output:

vpn.service-type:                       org.freedesktop.NetworkManager.strongswan
vpn.user-name:                          --
vpn.data:                               
   address = vpn-product.I_REMOVED_THIS_NAME.com,
   certificate = /home/jurisl/Downloads/I_REMOVED_THIS_NAME.p12,
   encap = no,
   ipcomp = no,
   method = key,
   proposal = no,
   usercert = /home/jurisl/Downloads/VPN/I_REMOVED_THIS_NAME.pem,
   userkey = /home/jurisl/Downloads/VPN/I_REMOVED_THIS_NAME.pem,
   virtual = yes
   vpn.secrets:                            <hidden>
   vpn.persistent:                         no
   vpn.timeout:                            0

Screenshot_20200922_142943829×716 37.2 KB

I have set up many VPNs before, but now I have been provided some odd certificate with .p12 extension and I just can’t make it work.

I have installed: xl2tpd, strongswan and networkmanager-strongswan

strongswan conflicts with openswan so it was uninstalled. Is that correct?

I was also told it has to be IKEv2

Any help will be appreciated.

I would say, maybe the p12 is not a format that strongswan accepts?
Try converting it into a pem file and see how that goes:

Also, use these two commands to enable the logging and have an error message:

sudo nmcli g log level

nmcli connection up <YOUR_CONNECTION>

When the sedond command fails, it will give you a command to get the error from the system logs, you can start from there.