<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <div class="moz-cite-prefix">On 1/24/22 02:00, Tobias Brunner wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:f0370770-a9aa-9abf-5395-24a9b80a5caf@strongswan.org">Hi

      Daniel,

      <br>

      <br>

      <blockquote type="cite">Removing the blank "certificate=" line

        from the VPN connection config in

        <br>

        /etc/NetworkManager/system-connections/ restores the original

        behavior.

        <br>

        However, modifying the connection config in NetworkManager will

        again add

        <br>

        the blank "certficiate=" line, once again breaking the

        connection config.

        <br>

      </blockquote>

      <br>

      I can't reproduce this.  What does the "Certificate" file chooser

      display when you open the editor?  "(None)"?

      <br>

      <br>

      Regards,

      <br>

      Tobias

      <br>

      <br>

    </blockquote>

    <br>

    Perhaps I wasn't clear.  Applying any change to any field in the

    NetworkManager strongswan VPN plugin config will write a text config

    file with the 'certificate=' line.  For example, the following

    resulting connection config snippet would be broken because no

    certificate was specified in the GUI:<br>

    <br>

    <font face="monospace">...<br>

    </font><span style="font-family:monospace"><span

        style="color:#000000;background-color:#ffffff;"><br>

        [vpn]

      </span><br>

      address=vpn.example.com<br>

      certificate=

      <br>

      encap=yes<br>

      ...<br>

      <br>

      <br>

    </span>Changing that snippet to the following makes the connection

    work using system certificates:<br>

    <br>

    <span style="font-family:monospace"><font face="monospace">...<br>

      </font><span style="font-family:monospace"><span

          style="color:#000000;background-color:#ffffff;"><br>

          [vpn]

        </span><br>

        address=vpn.example.com<br>

        encap=yes<br>

        ...</span></span><br>

    <br>

    <br>

    Notice the missing 'certificate=' line.  However, any change made in

    the GUI would restore the certificate= line as show below:<br>

    <font face="monospace">...<br>

    </font><span style="font-family:monospace"><span

        style="color:#000000;background-color:#ffffff;"><br>

        [vpn]

      </span><br>

      address=different-vpn.example.com<br>

      certificate=

      <br>

      encap=yes<br>

      ...<br>

    </span><br>

    Thus, manually modifying the GUI-created VPN config is a temporary

    workaround, but it will break eventually when the the user applies

    something in the GUI, and a new config is written out.  <br>

    <br>

    The GUI config should not include a 'certificate=' line when the

    GUI's "Certificate:" field is left blank.  Alternatively, strongswan

    should assume 'certificate=' indicates the system certificates

    should be used.<br>

    <br>

    Does that answer your question?<br>

    <br>

    <pre class="moz-signature" cols="72">-- 

Daniel Fussell

CAEDM Linux Administrator

BYU College of Engineering

240 EB, Provo UT 84602

801-422-5351

<a class="moz-txt-link-abbreviated" href="mailto:dfussell@byu.edu">dfussell@byu.edu</a></pre>

  </body>

</html>