[strongSwan] Is certificate matching compatible with ios8/ikev2?
Jill M. Dove
jilldove at gmail.com
Fri Jun 12 12:56:39 CEST 2015
I am using Apple Configurator to set up the client profile, which includes:
- Certificate identification, by uploading a pfx file into the
Certificate payload.
- In the vpn payload configurator requires both a local identifier and
remote identifier, so the remote identifier is vpn.example.com, and
local identifier testclient.
- The SAN in the certificate matches the local identifer, hence
testclient.
On the ipsec.conf file, I have the following configuration.
config setup
# uniqueids=never
conn TEMPLATE_IKEv2_Apple
keyexchange=ikev2
leftcert=TestEnvAltName.cer
leftsubnet=0.0.0.0/0
rightsourceip=10.60.72.0/21
leftsendcert=always
rightdns=158.43.128.72,195.129.12.115
dpdaction=clear
auto=add
leftid=*.example.com
This configuration works fine, and the client connects to the vpn, however
I can see that the client device is identifying itself as testclient, in
accordance with the local identifier I gave it.
My problem is integrating the ios8 ikev2 devices into my production
environment, where I actually assign the rightsourceip address according to
the values in the certificate distinguished name field. To do this for
other devices I'm matching on the rightid DN, hence rightid="C=GB, OU=*,
CN=*"
My question is my ios8 devices seem to be identifying themselves to
strongswan solely according to their local identifier (testclient) rather
than the certificate DN. It also won't be possible to replicate the
contents of the DN in the local identifier (and the SAN).
Therefore is there anyway I can still use certificate matching to assign
the rightsourceip, when ios8 forces explict assignment of a local
identifier in the client profile?
Thanks
Janet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150612/f6530237/attachment.html>
More information about the Users
mailing list