SUMMARY When saving a Strongswan VPN connection (EAP, with username/password and no certificate), the connection editor creates a "certificate=" line with no value in the "[vpn]" section of the connection config. As a result, NetworkManager passes an empty certificate path to Strongswan, which fails to load the certificate, and thus fail the connection process. This was not a problem with NetworkManager 1.22.10 and earlier, but it has become a problem with 1.26.2. Presumably, older versions contained a workaround which has been removed. As a result, the connection configs that worked in Kubuntu 20.04 stopped working after upgrade to 20.10. STEPS TO REPRODUCE 1. Create a Strongswan VPN connection. Input Gateway address, select EAP authentication method, input username and password. Leave certificate field empty. 2. Go to the created connection settings and change them. For example, enable this connection for all users in the General settings tab. Keep the certificate field empty. Click Apply. 3. Navigate to the connection config file in /etc/NetworkManager/system-connections. Check if it has a "certificate=" line in the "[vpn]" section. 4. Try to establish the connection. OBSERVED RESULT In step 3, I can see the "certificate=" line. In step 4, the connection fails to establish. There are the following lines in syslog: 25 Nov 2020 01:01:41 NetworkManager <info> [1606255301.5949] audit: op="connection-activate" uuid="ef38a0ab-5255-4a0b-a56d-b65efad01750" name="MySwanVPN" pid=4287 uid=1000 result="success" 25 Nov 2020 01:01:41 NetworkManager <info> [1606255301.5978] vpn-connection[0x5645cdeb6500,ef38a0ab-5255-4a0b-a56d-b65efad01750,"MySwanVPN",0]: Saw the service appear; activating connection 25 Nov 2020 01:01:41 charon-nm 05[CFG] received initiate for NetworkManager connection MySwanVPN 25 Nov 2020 01:01:41 charon-nm 05[LIB] opening '' failed: No such file or directory 25 Nov 2020 01:01:41 charon-nm 05[LIB] building CRED_CERTIFICATE - X509 failed, tried 6 builders 25 Nov 2020 01:01:41 NetworkManager <warn> [1606255301.6040] vpn-connection[0x5645cdeb6500,ef38a0ab-5255-4a0b-a56d-b65efad01750,"MySwanVPN",0]: VPN connection: failed to connect: 'Loading gateway certificate failed.' EXPECTED RESULT No empty "certificate=" line should be added, the connection should succeed. SOFTWARE/OS VERSIONS Operating System: Kubuntu 20.10 KDE Plasma Version: 5.19.5 KDE Frameworks Version: 5.74.0 Qt Version: 5.14.2 NetworkManager version: 1.26.2 Kernel Version: 5.8.0-29-lowlatency OS Type: 64-bit Processors: 8 × Intel® Core™ i7-2600K CPU @ 3.40GHz Memory: 15.6 GiB of RAM Graphics Processor: GeForce RTX 2080 Ti/PCIe/SSE2 ADDITIONAL INFORMATION One workaround is to remove the "certificate=" line from the connection config and then reboot (since NetworkManager loads configs on boot and doesn't reload them on connection). But this has to be done every time you change something in the connection editor, since it will add this line again every time it saves the config. Another workaround is to downgrade NetworkManager to 1.22.10 or older, but this may be problematic as it will likely break package dependencies on the system.
same problem for me and same workaround.
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/43
Proposed fix: https://invent.kde.org/plasma/plasma-nm/-/merge_requests/43
Fixed by Jan Grulich with https://invent.kde.org/plasma/plasma-nm/-/commit/7b3d786e356abdb5595b042bc1dc6f980de49288 in Plasma 5.21