Are you able to have 2 clients connected at the same time? When I tried that (I am using mschap) whenever the 2nd client connects the 1st one's traffic will not go through anymore (it stays connected but no traffic can go through).
I raised this a month ago but seems to have no response. Still trying my luck. > On 5 Apr 2019, at 9:39 AM, Matthew Ernisse <m...@going-flying.com> wrote: > > I have not tried ECDSA, however I've had iOS and macOS devices > running with iked since it came into OpenBSD using certificate auth > with RSA 2048 certs and a RSA 4096 CA. > > I just recently wrote a blog post on it, it includes a general overview > of how I did it and a fragment of my .mobileconfig and iked.conf. > > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.going-flying.com%2Fblog%2Fprotecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html&data=02%7C01%7C%7C675601333aaa494427c508d6b9c79949%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900664254709962&sdata=uIBgD24uPOMi6qRmTNOzrYPjdx87Fny1jzlyX5CSI%2B4%3D&reserved=0 > > My VPN endpoint is currently running: > OpenBSD 6.4 (GENERIC) #7: Thu Feb 28 18:10:07 CET 2019 > r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC > > --Matt > > >> On Apr 4, 2019, at 20:08, Tim Stewart <t...@stoo.org> wrote: >> >> Hi Ted, >> >> On 6/2/18 12:26 PM, Theodore Wynnychenko wrote: >>> Hello >>> Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and >>> RFC7427 authentication" diff was committed to current), I had set up and had >>> been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have >>> ikev2 >>> VPN's happen, almost as if by, magic. >>> Authentication was accomplished using certificates signed by a local >>> authority >>> and then distributed to the iOS devices. >>> Since 3/27/17, this has not been working. I sent a couple of emails about >>> this >>> last year (the initial one: >>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmarc.info%2F%3Fl%3Dopenbsd-bugs%26m%3D149706080419488%26w%3D2&data=02%7C01%7C%7C675601333aaa494427c508d6b9c79949%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900664254709962&sdata=uJr1HNzvBSGIIzxR4CxW3ZuMyksW9B9mD%2BI4PBdUSs4%3D&reserved=0). >>> Over the last year, I have tried many things. Even though I don't know >>> anything >>> about programming (or C), I tried making little changes to the iked source, >>> all >>> without success. (Is that any surprise? No. I was amazed at times that my >>> changes even resulted in a program that would actually start up and run.) >>> I have tried creating several different CA's and certificates, using various >>> different algorithms (ECDSA and RSA, with varying key lengths), all without >>> success. For example, I just tried creating a CA and certificates with >>> ECDSA384/SHA2-384; I distribute those to the iOS device (which supports >>> them), >>> but, iked will not accept them and create a tunnel. >>> In iked.conf, if I don't explicitly state something like "ecdsa384" as the >>> authentication method (and, this requires having a local copy of the public >>> key >>> on the openbsd machine), iked falls back to rfc7427 for authentication, but >>> it >>> appears that iOS does not support this (yet?). >>> I have been downgrading iked to a version before the 3/27/17 (every time I >>> update -current), and this still allows my old certificates to work. But, >>> that >>> doesn't seem sustainable. >>> I have no idea how to proceed? >>> Has anyone been able to get -current (or at least, a snapshot after 3/27/17) >>> version of iked to work with any iOS devices using certificates >>> successfully? >>> If so, I would really appreciate some advice on how it can be done. >>> Thanks >>> Ted >> >> Last night I tried to set up my iPad for the first time and ran into a >> similar issue. Today I remembered writing a patch for a similar issue after >> RFC7427 was added: >> >> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmarc.info%2F%3Fl%3Dopenbsd-tech%26m%3D149499973130985&data=02%7C01%7C%7C675601333aaa494427c508d6b9c79949%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900664254709962&sdata=HjDwiJ%2BqxTq%2BeddEPECY1HXTp68V2xoqJI7pnlzrDDc%3D&reserved=0 >> >> After applying this, and adding the `rsa' ikeauth parameter to the policy, >> the iPad successfully connected. >> >> Can you try applying that patch and see if it resolves your issue? If it >> also works for you, I'll reply on that thread and see if anyone wants to >> opine on the patch. >> >> -TimS >> >> -- >> Tim Stewart >> t...@stoo.org >> >
