Hi Chris, The NM plugin currently does not provide an option to configure the expected AAA server identity. So the IKE identity is reused and enforced. This will fail if the AAA server uses a different identity during EAP-PEAP/(T)TLS:
> [IKE] authentication of 'CN=vpn.company.com' with RSA signature successful > ... > [TLS] server certificate does not match to 'CN=vpn.company.com' > What we found key was the leftauth method has to be eap-mschapv2. That > doesn't seem to be avavailbe in the network manager config. While the authentication method can't be configured explicitly in the NM plugin, you can prevent the ẹap-peap plugin from getting loaded so plain EAP-MSCHAPv2 will be used. To do so configure charon-nm.plugins.eap-peap.load = no in strongswan.conf (note that this requires at least 5.5.0 to work, in older releases the complete list of plugins has to be provided in charon-nm.load, see [1] for details). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
