An ip from the range will be assigned to the connecting client. I've had issues in previous releases with multiple clients getting the same ip though.
10.1.2.4 can be in that range, it doesn't need to be though. The ip or whatever you put there should be the CERT_CN. I like to make sure it'll be the CN so I modify the ikeca.cnf before each cert creation. The name of the file doesn't matter, and I think the CN could be whatever you like. I make the CN the client IP and fill in CERT_EMAIL and CERTFQDN for better identification. On Thu, May 4, 2017 at 12:32 PM, Jose Marinez <[email protected]> wrote: > Hi Guys, > > While I personally haven't used OpenBSD for almost 20 years, I'm glad it's > still around and strong when I need it most. Thank you. > > Ok, so I have about 45 students and teachers that I would like to create a > VPN for. I've looked at the alternatives and iked it is. > > Our environment is mainly macOS/iOS. > > I'm not by any means an expert in VPNs or crypto for that matter, but I'm > a software engineer so I think I can figure this out. With that in mind, > I've created an etc/iked.conf file that looks like this: > > ikev2 "school" passive esp from 0.0.0.0/0 to 192.168.1.0/24 \ > local 7.7.7.7 peer any \ > ikesa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ > childsa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ > ecdsa256 config address 192.168.1.0/24 \ > config name-server 192.168.1.1 config access-server 192.168.1.1 > > > Here are my questions: > Strongswan has the concept of virtualips to deal with "road warriors." > Would the range as I have set it up in my iked.conf deal with road warriors > using say iPhones with IPs that I can't possibly hardcode? > In other words, will an IP from that range be assigned to the devices > connecting? > > My second question is dealing with certificates and ikectl: > In the ikectl man pages there's an example: > To create the certificate authority: > # ikectl ca vpn create > > To create the certificates for the peers: > # ikectl ca vpn certificate 10.1.2.3 create > # ikectl ca vpn certificate 10.1.2.4 create > # ikectl ca vpn certificate 10.1.2.5 create > > Add the host as a VPN peer: > # ikectl ca vpn install > # ikectl ca vpn certificate 10.1.2.3 install > > Export the certificate and CAs for the peers: > # ikectl ca vpn certificate 10.2.3.4 export > # ikectl ca vpn certificate 10.3.4.5 export > > Create the tarballs and extract them to /etc/iked/ > 10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz > 10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz > > Questions: > When I create a certificate as in: > # ikectl ca vpn certificate 10.1.2.4 create > Is 10.1.2.4 hypothetically one of the IPs in the range that was used in > iked.conf? > Last but not least, if I were to change the name of the certificate(s) > from say 10.1.2.4.pem to one more descriptive, say... janesmith.pem, will > it still match the IKEV2 identity when the device tries to connect? > > Thanks in advance guys, > Jose
