On 2024-05-30, Radek <r...@int.pl> wrote: > Thank you all for your replies. > > Actually, I did not know that providing seamless switching VPN solutions is > so problematic. If it can't be done in a simple way, then it doesn't have to > be seamless at any cost. Users will manually reconnect to this VPN when CARP > does switchover and there will be no drama. > > I am currently using IPSEC/L2TP, but I do not insist on switching to > wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I > switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't > cope with updating it to get a VPN back to work. It was a pandemic, and > everybody worked remotely. Then I quickly switched IKEv2 to IPSEC/L2TP to > allow users to work remotely again, and so it remains to this day. Maybe it's > time to replace IPSEC/L2TP with other/newer VPN solution - on the occasion of > CARP deployment.
IKEv2 with certs signed by a publically trusted CA is fairly easy to work with on the client side. The server side is a bit fiddly on OpenBSD; iked can send the necessary intermediate certs now but it's not obvious which file they need to go in (and I forgot the details..) > I also need to assign to users static IP addresses per user - if I remember > that IKEv2 assigned to users random addresses from the entire VPN pool and I > couldn't cope with IP/user assignment. IKEv2 certainly can, it depends on the software. The in-tree version of iked doesn't have a way to do it yet, but the patches at https://marc.info/?l=openbsd-tech&m=170895540813042&w=2 allow doing that via RADIUS config.
