Unable to connect to VPN with strongswan

Hello, I am trying to connect to my uni’s VPN using strongswan with EAP.

I installed strongswan with:

  networking.networkmanager = {
  	enable = true;
	enableStrongSwan = true;
  };

And configured the vpn settings itself using the nm-applet gui, without a certificate specified.

However when trying to connect I get the error:

nov 25 15:41:28 hostname charon-nm[5648]: 06[CFG] no issuer certificate found for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"

In the setup instructions it is written that:

Strongswan does not have any default trusted root certificates on some linux distributions (verified for fedora 36). This causes the VPN connection to fail, as the certificate used by the university will not be trusted. This issue does not affect Ubuntu 18.04.

  1. To check if this is the case, run # journalctl -f -u NetworkManager.service, while trying to connect to the VPN.
  2. Only proceed to the next step if the connection log shows a line such as no issuer certificate found for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
  3. Make a symbolic link from the root certificates trusted by your distribution to the directory where strongswan expects certificates. This directory differs between distributions.
  • On Ubuntu (and most other distributions): # ln -s /etc/ssl/certs /etc/ipsec.d/cacerts/systemCA
  • On Fedora: # ln -s /etc/ssl/certs /etc/strongswan/ipsec.d/cacerts/systemCA
  1. Restart strongswan and NetworkManager: # systemctl restart strongswan NetworkManager

However, this is naturally not possible on NixOS.

In the strongswanNM it is specified that the /etc/ssl/certs should be used as a source of certificates in: nixpkgs/pkgs/tools/networking/strongswan/default.nix at e8c38b73aeb218e27163376a2d617e61a2ad9b59 · NixOS/nixpkgs · GitHub
So it feels like the program should work properly out of the box, however maybe something is misconfigured or missing?

Also having the same problem, similarly trying to connect to my Uni’s VPN on Nix, with StrongSwan. Have you made any progress in getting this working?

Have you tried setting security.pki.certificateFiles to [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]?