Thursday, February 28, 2019

Re: iked road warrior setup with multiple clients connecting

On 2019-02-28, Michael Lam <michael.mc.lam@gmail.com> wrote:
> Just want to highlight that there is a FAQ document checked in that
> provides some samples of iked configurations for road-warrior setup.
>
> I am using almost the same setup provided in the sample, and I can only
> have one client connected at a time. Once the 2nd client connects it
> will stop the first client from working.
>
> Hope this helps with others until it is fixed.

Note that the new FAQ page for VPNs is still a work in progress.
(In particular I think that the "OpenBSD as client" section which
tries to work around iked's lack of client side mode-config support
is not entirely correct yet).

>> Also responding to another user (due to some issue I can only get the
>> mailing list emails fixed.)
>>
>> I use a Letsencrypt certificate by doing the following:
>> 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by
>> OpenBSD into "ca" folder.
>> 2. Putting the certificate file obtained from Letsencrypt into "cert" folder
>> under iked folder.
>> 3. Putting the full chain certificate file into the "ca" folder.

Interesting. I guess Apple works a bit differently to strongswan
in this respect then, perhaps it auto-fetches intermediates (like
gui web browsers do for https, but curl/etc don't).

The problem I'm having with a Let's Encrypt cert (or indeed any cert
that requires an intermediate - before I tried LE I was using an
internal "VPN CA" chained off my main internal CA) is that iked
doesn't present the chain alongside its own certificate. You can
have it send the chain cert along with CAs by including it in the
ca/ directory but clients aren't looking there to validate the
server cert.

I think that's just missing from the implementation for now,
but I was interested to hear that you had it working anyway.

Including the entirety of /etc/ssl/cert.pem in the ca/ folder isn't
doing anything useful, this is just meant to be the CA you are using,
and is used to provide a hint to the client about which client cert
would be acceptable. With a big list that's a big chunk of UDP
fragments, and for EAP-MSCHAPv2 (which doesn't even use a client
cert) it doesn't help.

No comments:

Post a Comment