On 2019-02-28, Michael Lam <michael.mc....@gmail.com> wrote: > Just want to highlight that there is a FAQ document checked in that > provides some samples of iked configurations for road-warrior setup. > > I am using almost the same setup provided in the sample, and I can only > have one client connected at a time. Once the 2nd client connects it > will stop the first client from working. > > Hope this helps with others until it is fixed.
Note that the new FAQ page for VPNs is still a work in progress. (In particular I think that the "OpenBSD as client" section which tries to work around iked's lack of client side mode-config support is not entirely correct yet). >> Also responding to another user (due to some issue I can only get the >> mailing list emails fixed.) >> >> I use a Letsencrypt certificate by doing the following: >> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by >> OpenBSD into "ca" folder. >> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder >> under iked folder. >> 3. Putting the full chain certificate file into the "ca" folder. Interesting. I guess Apple works a bit differently to strongswan in this respect then, perhaps it auto-fetches intermediates (like gui web browsers do for https, but curl/etc don't). The problem I'm having with a Let's Encrypt cert (or indeed any cert that requires an intermediate - before I tried LE I was using an internal "VPN CA" chained off my main internal CA) is that iked doesn't present the chain alongside its own certificate. You can have it send the chain cert along with CAs by including it in the ca/ directory but clients aren't looking there to validate the server cert. I think that's just missing from the implementation for now, but I was interested to hear that you had it working anyway. Including the entirety of /etc/ssl/cert.pem in the ca/ folder isn't doing anything useful, this is just meant to be the CA you are using, and is used to provide a hint to the client about which client cert would be acceptable. With a big list that's a big chunk of UDP fragments, and for EAP-MSCHAPv2 (which doesn't even use a client cert) it doesn't help.
