OK, I talked to Chris last week and he confirmed that using the built-in
IKEv2 VPN client in Win7/win8 with pfSense is definitely possible.
He even knows of a few people who do it.
The StrongSwan documentation is OK, but I've tried to follow it... and
no success.
The IKEv2 client itself, of course, is renowned for crummy diagnostics -
you get one generic error, almost no matter what happens. (Kind of
reminds me of using ed(1). Maybe Rob Pike works for MS now? <grin>)
I need to achieve zero-touch remote VPN users - I don't want to have to
send them a file, install a certificate or CA on their device, configure
their device, etc. Put another way, I need to be able to use an
arbitrary device, never before connected to my network, to establish a
VPN connection from anywhere, by anyone.
So far, PPTP and IKEv2 (using EAP-MSCHAPv2) appear to be the only
options, and while PPTP works fine, it's insecure. (This isn't actually
a problem for my use case, but since it's going away and certainly isn't
getting any love in pfSense, I'm leaving it behind.)
IKEv2 just... never works. I'm pretty darn sure (99.999%) my
certificate meets the requirements.
Are there any tricks that aren't obvious?
Thanks,
-Adam Thompson
[email protected]
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
