nm strongswan gui doesn't have a way to enter pre-shared key

You don't have a Password field?

I have a username and password field, which should be separate from the PSK field, no? Our Cisco Meraki appliance is expecting both a PSK to with the server, and a username and password for individual client auth.

Regardless, when I fill in the username and password with PSK selected, the "Add" button remains greyed out and refuses to add the connection to my network settings.

> Our Cisco Meraki appliance is expecting both a PSK to with the server, and a username and password for individual client auth.

I guess you are referring to IKEv1 XAuth/PSK. The strongSwan NetworkManager plugin does not support this. It only supports IKEv2 (where EAP can be used for username/password authentication after properly authenticating the server with a certificate, which is not possible with a PSK).

> Regardless, when I fill in the username and password with PSK selected, the "Add" button remains greyed out and refuses to add the connection to my network settings.

That's probably because the PSK you entered is too short (a minimum of 20 characters is enforced).

Ahhh yeah, our corporate PSK is only ~10 characters. so it sounds like there's no way to support this VPN with the strongswan plugin. that's unfortunate, since I have no way to change corporate IT infrastructure.

To clear this up, it'd be nice if the interface made it clear that the username field is unused and the password field is the place for the PSK in PSK mode. None of that is obvious in the current interface.

> To clear this up, it'd be nice if the interface made it clear that the username field is unused

It is not, it defines the identity of the client (i.e. the local identity).

> and the password field is the place for the PSK in PSK mode.

The tooltip of that field mentions PSKs (in particular the 20 character limit).

> None of that is obvious in the current interface.

Even though I agree, changing texts of labels is, of course, more complicated than just en-/disabling the fields. And since we don't recommend using PSKs in the first place I don't think there will be much work on this.

Status changed to 'Confirmed' because the bug affects multiple users.

Yeah, this seems to be pretty bad. I've been asked to connect to a corporate VPN using PSK that only has 7 characters and can't use Network Manager because this 20+ characters limit :(.

On Apple (I don't use that, but my boss does) this however works out of the box and with no issues: https://raw.githubusercontent.com/truemetal/ikev2_vpn/master/macos%20setup%20demo%20(PSK).gif

Come on,
this a client configuration not a server configuration. In a server you could enforce the user not to use a insecure password. But is it insecure to configure the client wrongly? It's like not allowing a login prompt to enter a short password. Security must be implementing when setting the password in the server not when login in!!

A client shouldn't impose restrictions in configuration, otherwise it's not a generic client, it's just a client that works in some cases and not being a technical limitation but a bad decision on where security must be implemented.

This applies for not allowing PSK in a client or not allowing a short password in a client.

Same situation here. I totally agree with Agustin Rivero (agustin-midokura).
Please fix this limitation client-side!

Same again with me. 16 character PSK, set by my company and is something I have no control over.

Is this "strong key" requirement enforced in the GUI only? Or is it a fundamental part of strongswan itself? I.e. could I circumvent it by entering a longer (incorrect) key in the gui and then modify a config file somewhere to hold the correct key?

I agree, this feels like a bug. If the server is set up to accept (require) a shorter key, then the fact that the strongswan client is unable to connect seems like an error.

Hello,

This problem still persist in Ubuntu 19.10

network-manager 1.20.4-2ubuntu2
network-manager-config-connectivity-ubuntu 1.20.4-2ubuntu2
network-manager-gnome 1.8.22-2ubuntu1
network-manager-strongswan 1.4.4-2

> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.10
Release: 19.10
Codename: eoan

This problem still persist in Ubuntu 18.04

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

This problem still persist in Ubuntu 20.04

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal

This problem still persist in my ubuntu 20.04 too
this is a great too but need to fix this one bug
thank you

This defect persists into Ubuntu 21.04 Hirsute Hippo.

Is there a workaround to make the Plugin accept PSK with less than 20 characters, e.g. via some CLI tool?

And maybe someone could explain where this limitation comes from. As others have pointed out if you connect to a foreign VPN you may not have control over the length of the PSK that they assign you. So you're out of luck in this case.

Releated problem: If I select to "Ask for password each time" (translated back from German) in the dropdown of the password field I still can not save the connection. This makes no sense as I explicitely selected to not enter the password here.