Hi Guys, While I personally haven't used OpenBSD for almost 20 years, I'm glad it's still around and strong when I need it most. Thank you.
Ok, so I have about 45 students and teachers that I would like to create a VPN for. I've looked at the alternatives and iked it is. Our environment is mainly macOS/iOS. I'm not by any means an expert in VPNs or crypto for that matter, but I'm a software engineer so I think I can figure this out. With that in mind, I've created an etc/iked.conf file that looks like this: ikev2 "school" passive esp from 0.0.0.0/0 to 192.168.1.0/24 \ local 7.7.7.7 peer any \ ikesa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ childsa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ ecdsa256 config address 192.168.1.0/24 \ config name-server 192.168.1.1 config access-server 192.168.1.1 Here are my questions: Strongswan has the concept of virtualips to deal with "road warriors." Would the range as I have set it up in my iked.conf deal with road warriors using say iPhones with IPs that I can't possibly hardcode? In other words, will an IP from that range be assigned to the devices connecting? My second question is dealing with certificates and ikectl: In the ikectl man pages there's an example: To create the certificate authority: # ikectl ca vpn create To create the certificates for the peers: # ikectl ca vpn certificate 10.1.2.3 create # ikectl ca vpn certificate 10.1.2.4 create # ikectl ca vpn certificate 10.1.2.5 create Add the host as a VPN peer: # ikectl ca vpn install # ikectl ca vpn certificate 10.1.2.3 install Export the certificate and CAs for the peers: # ikectl ca vpn certificate 10.2.3.4 export # ikectl ca vpn certificate 10.3.4.5 export Create the tarballs and extract them to /etc/iked/ 10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz 10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz Questions: When I create a certificate as in: # ikectl ca vpn certificate 10.1.2.4 create Is 10.1.2.4 hypothetically one of the IPs in the range that was used in iked.conf? Last but not least, if I were to change the name of the certificate(s) from say 10.1.2.4.pem to one more descriptive, say... janesmith.pem, will it still match the IKEV2 identity when the device tries to connect? Thanks in advance guys, Jose
