Feature #2581

Add option to configure client identity in NetworkManager plugin

Added by Harald Dunkel over 3 years ago. Updated over 1 year ago.

networkmanager (charon-nm)
Target version:
Start date:
Due date:
Estimated time:


charon-nm sends the certificate's DN as an identifier. In this case the dhcp plugin on the peer does not set a client hostname option in the dhcp request, i.e. dnsmasq doesn't set the hostname in its DNS database.

It would be very nice if charon/charon-nm could be improved in this case.

On ios or MacOS the client uses the FQDN (configured in a profile) as an identifier, the dhcp plug sets the client hostname in the dhcp request, and dnsmasq registers the hostname in DNS.

Associated revisions

Revision c41419fa
Added by Tobias Brunner over 1 year ago

Merge commit 'nm-client-id'

Makes the client's IKE identity configurable in the NM GUI. For PSK
authentication the identity is now configured via that new field
and not the username anymore (old configs still work and are migrated
when edited). The client identity now also defaults to the IP address
if not configured when using EAP/PSK.

Fixes #2581.


#1 Updated by Tobias Brunner over 3 years ago

  • Status changed from New to Feedback

I'm not sure if the title is correct, as this is more of a charon-nm than a dhcp plugin issue (e.g. add a client ID selector like we provide in the Android app). But you sure could also hack something into the dhcp plugin if really wanted to forward a hostname (e.g. get the client's certificate and search for a FQDN in the SANs).

#2 Updated by Harald Dunkel about 2 years ago

I am desperately waiting for this feature. Is there hope?

#3 Updated by Tobias Brunner over 1 year ago

  • Subject changed from dhcp plugin: please support client hostname option for peers running charon-nm to Add option to configure client identity in NetworkManager plugin
  • Category set to networkmanager (charon-nm)
  • Target version set to 5.8.3

I pushed some changes to the 2581-nm-client-id branch, which allow configuring a specific client identity (e.g. a subjectAltName instead of the subject DN, which is used by default for certificates).

#4 Updated by Tobias Brunner over 1 year ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

Also available in: Atom PDF