Thanks Bobby. I'll give this a try and report back. Much appreciated. Thanks, José
> On May 8, 2017, at 6:58 PM, Bobby Johnson <[email protected]> wrote: > > An ip from the range will be assigned to the connecting client. I've had > issues in previous releases with multiple clients getting the same ip though. > > 10.1.2.4 can be in that range, it doesn't need to be though. The ip or > whatever you put there should be the CERT_CN. I like to make sure it'll be > the CN so I modify the ikeca.cnf before each cert creation. The name of the > file doesn't matter, and I think the CN could be whatever you like. I make > the CN the client IP and fill in CERT_EMAIL and CERTFQDN for better > identification. > > > > >> On Thu, May 4, 2017 at 12:32 PM, Jose Marinez <[email protected]> wrote: >> Hi Guys, >> >> While I personally haven't used OpenBSD for almost 20 years, I'm glad it's >> still around and strong when I need it most. Thank you. >> >> Ok, so I have about 45 students and teachers that I would like to create a >> VPN for. I've looked at the alternatives and iked it is. >> >> Our environment is mainly macOS/iOS. >> >> I'm not by any means an expert in VPNs or crypto for that matter, but I'm a >> software engineer so I think I can figure this out. With that in mind, I've >> created an etc/iked.conf file that looks like this: >> >> ikev2 "school" passive esp from 0.0.0.0/0 to 192.168.1.0/24 \ >> local 7.7.7.7 peer any \ >> ikesa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ >> childsa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ >> ecdsa256 config address 192.168.1.0/24 \ >> config name-server 192.168.1.1 config access-server 192.168.1.1 >> >> >> Here are my questions: >> Strongswan has the concept of virtualips to deal with "road warriors." Would >> the range as I have set it up in my iked.conf deal with road warriors using >> say iPhones with IPs that I can't possibly hardcode? >> In other words, will an IP from that range be assigned to the devices >> connecting? >> >> My second question is dealing with certificates and ikectl: >> In the ikectl man pages there's an example: >> To create the certificate authority: >> # ikectl ca vpn create >> >> To create the certificates for the peers: >> # ikectl ca vpn certificate 10.1.2.3 create >> # ikectl ca vpn certificate 10.1.2.4 create >> # ikectl ca vpn certificate 10.1.2.5 create >> >> Add the host as a VPN peer: >> # ikectl ca vpn install >> # ikectl ca vpn certificate 10.1.2.3 install >> >> Export the certificate and CAs for the peers: >> # ikectl ca vpn certificate 10.2.3.4 export >> # ikectl ca vpn certificate 10.3.4.5 export >> >> Create the tarballs and extract them to /etc/iked/ >> 10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz >> 10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz >> >> Questions: >> When I create a certificate as in: >> # ikectl ca vpn certificate 10.1.2.4 create >> Is 10.1.2.4 hypothetically one of the IPs in the range that was used in >> iked.conf? >> Last but not least, if I were to change the name of the certificate(s) from >> say 10.1.2.4.pem to one more descriptive, say... janesmith.pem, will it >> still match the IKEV2 identity when the device tries to connect? >> >> Thanks in advance guys, >> Jose >
