> On 1 Mar 2019, at 6:42 AM, Stuart Henderson <s...@spacehopper.org> wrote:
>
> On 2019-02-28, Michael Lam <michael.mc....@gmail.com> wrote:
>> Just want to highlight that there is a FAQ document checked in that
>> provides some samples of iked configurations for road-warrior setup.
>>
>> I am using almost the same setup provided in the sample, and I can only
>> have one client connected at a time. Once the 2nd client connects it
>> will stop the first client from working.
>>
>> Hope this helps with others until it is fixed.
>
> Note that the new FAQ page for VPNs is still a work in progress.
> (In particular I think that the "OpenBSD as client" section which
> tries to work around iked's lack of client side mode-config support
> is not entirely correct yet).
Unfortunately in my setup OpenBSD is the server so probably mode-config
support doesn't matter to me. Guess I still have to wait. With 6.5 coming
maybe I will have to wait for 6.6 or pull from CVS when this get fixed (
If it is a bug not my misconfiguration).
>
>>> Also responding to another user (due to some issue I can only get the
>>> mailing list emails fixed.)
>>>
>>> I use a Letsencrypt certificate by doing the following:
>>> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
>>> OpenBSD into "ca" folder.
>>> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder
>>> under iked folder.
>>> 3. Putting the full chain certificate file into the "ca" folder.
>
> Interesting. I guess Apple works a bit differently to strongswan
> in this respect then, perhaps it auto-fetches intermediates (like
> gui web browsers do for https, but curl/etc don't).
>
> The problem I'm having with a Let's Encrypt cert (or indeed any cert
> that requires an intermediate - before I tried LE I was using an
> internal "VPN CA" chained off my main internal CA) is that iked
> doesn't present the chain alongside its own certificate. You can
> have it send the chain cert along with CAs by including it in the
> ca/ directory but clients aren't looking there to validate the
> server cert.
>
> I think that's just missing from the implementation for now,
> but I was interested to hear that you had it working anyway.
>
> Including the entirety of /etc/ssl/cert.pem in the ca/ folder isn't
> doing anything useful, this is just meant to be the CA you are using,
> and is used to provide a hint to the client about which client cert
> would be acceptable. With a big list that's a big chunk of UDP
> fragments, and for EAP-MSCHAPv2 (which doesn't even use a client
> cert) it doesn't help.
>
>
To this particular point (copying /etc/ssl/cert.pem into ca/ folder),
If I recall correctly without this I couldn't get it working as iked
will complaint that my letsencrypt certificate is not valid.
However I couldn't confirm for sure at the moment as I've already
reverted to a IPSec/L2TP VPN using napped.
And yes I only tested iOS devices (that's all I got). The problem
still exist is that I can't have more than 1 client connected at
one time.
