Hi Alex, > # Where is this coming from ? The cert on vpn.york.ac.uk > lives on a host called vpn10.york.ac.uk > and has multiple SubjAlt Name entries for all > the real vpn servers we might want to use the cert on. > # Think this is "wrong " message, > Dec 1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not > match to 'vpn.york.ac.uk' > Dec 1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert > 'access denied'
That's the certificate provided by the RADIUS server during EAP-PEAP. As you can't specify an AAA identity with the NM frontend the server's IKE identity (i.e. the hostname) must be contained as subjecAltName in that certificate too. Regards, Tobias
