Hi, Just want to give a pump here to see if anyone get this resolved.
Rgds, Michael > On 1 Mar 2019, at 8:24 PM, Michael Lam <[email protected]> wrote: > > > >> On 1 Mar 2019, at 6:42 AM, Stuart Henderson <[email protected]> wrote: >> >> On 2019-02-28, Michael Lam <[email protected]> wrote: >>> Just want to highlight that there is a FAQ document checked in that >>> provides some samples of iked configurations for road-warrior setup. >>> >>> I am using almost the same setup provided in the sample, and I can only >>> have one client connected at a time. Once the 2nd client connects it >>> will stop the first client from working. >>> >>> Hope this helps with others until it is fixed. >> >> Note that the new FAQ page for VPNs is still a work in progress. >> (In particular I think that the "OpenBSD as client" section which >> tries to work around iked's lack of client side mode-config support >> is not entirely correct yet). > > Unfortunately in my setup OpenBSD is the server so probably mode-config > support doesn't matter to me. Guess I still have to wait. With 6.5 coming > maybe I will have to wait for 6.6 or pull from CVS when this get fixed ( > If it is a bug not my misconfiguration). > >> >>>> Also responding to another user (due to some issue I can only get the >>>> mailing list emails fixed.) >>>> >>>> I use a Letsencrypt certificate by doing the following: >>>> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by >>>> OpenBSD into "ca" folder. >>>> 2. Putting the certificate file obtained from Letsencrypt into "cert" >>>> folder >>>> under iked folder. >>>> 3. Putting the full chain certificate file into the "ca" folder. >> >> Interesting. I guess Apple works a bit differently to strongswan >> in this respect then, perhaps it auto-fetches intermediates (like >> gui web browsers do for https, but curl/etc don't). >> >> The problem I'm having with a Let's Encrypt cert (or indeed any cert >> that requires an intermediate - before I tried LE I was using an >> internal "VPN CA" chained off my main internal CA) is that iked >> doesn't present the chain alongside its own certificate. You can >> have it send the chain cert along with CAs by including it in the >> ca/ directory but clients aren't looking there to validate the >> server cert. >> >> I think that's just missing from the implementation for now, >> but I was interested to hear that you had it working anyway. >> >> Including the entirety of /etc/ssl/cert.pem in the ca/ folder isn't >> doing anything useful, this is just meant to be the CA you are using, >> and is used to provide a hint to the client about which client cert >> would be acceptable. With a big list that's a big chunk of UDP >> fragments, and for EAP-MSCHAPv2 (which doesn't even use a client >> cert) it doesn't help. >> >> > To this particular point (copying /etc/ssl/cert.pem into ca/ folder), > If I recall correctly without this I couldn't get it working as iked > will complaint that my letsencrypt certificate is not valid. > > However I couldn't confirm for sure at the moment as I've already > reverted to a IPSec/L2TP VPN using napped. > > And yes I only tested iOS devices (that's all I got). The problem > still exist is that I can't have more than 1 client connected at > one time.
