NetworkManager not accepting valid certificate for IKEv2 VPN

Hi all,

in our university we have a VPN server using IPSec/IKEv2. This server uses a valid certificate which requires an intermediary CA under GlobalSign.

The server already sends the required certificates as shown in the log:

Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] received end entity cert "C=BR, ST=Santa Catarina, L=zzzzz, O=xxxxxx, CN=xxxx"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] received issuer cert "C=BR, O=Rede Nacional de Ensino e Pesquisa - RNP, CN=RNP ICPEdu OV SSL CA 2019"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] received issuer cert "C=BE, O=GlobalSign nv-sa, CN=Trusted Root TLS CA SHA256 G3"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG]   using certificate "C=BR, ST=Santa Catarina, L=zzzzz, O=xxxxxx, CN=xxxx"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG]   using untrusted intermediate certificate "C=BR, O=Rede Nacional de Ensino e Pesquisa - RNP, CN=RNP ICPEdu OV SSL CA 2019"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG]   using untrusted intermediate certificate "C=BE, O=GlobalSign nv-sa, CN=Trusted Root TLS CA SHA256 G3"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG] no issuer certificate found for "C=BE, O=GlobalSign nv-sa, CN=Trusted Root TLS CA SHA256 G3"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG]   issuer is "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] no trusted RSA public key found for 'xxxxxx'
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[NET] sending packet: from 192.168.0.200[48115] to yyy.yy.yy.yy[4500] (80 bytes)

In OpenSuse Leap 15 NetworkManager rejects the certificate and aborts the connection. It seems not to recognize the certificate chain we send.

Other distros (such as Ubuntu 22 and Mint 21) as well as Windows/MacOS are able to connect to this server without issue.

Any ideas on how to solve this issue?

Kind regards,
Rodrigo

Did you specify CA certificate in the connection properties? If I interpret strongSwan documentation correctly, if no certificate is given charon-nm tries to find it in the “system” location which defaults to /usr/share/ca-certificates. This directory does not exist on openSUSE but exists on Debian/Ubuntu and derivatives. Apparently it is possible to change it at runtime, see NetworkManager :: strongSwan Documentation

I suppose the “correct” location could be /etc/ssl/certs or /var/lib/ca-certificates/pem.

Dear arvidjaar,

thanks for your response. Based on what you said, I’ve looked further into the issue and found that there is a bug indeed with charon in Opensuse. It looks for the CA certificates at /usr/share/ca-certificates . To solve this, I issued this command:

sudo ln -s /var/lib/ca-certificates/pem /usr/share/ca-certificates

I opened a bug report: 1216564 – Missing directory /usr/share/ca-certificates for charon