[strongSwan] using eap-tls and eap-mschapv2 simultaneously
dcamero at outlook.com
Tue Jan 5 05:23:05 CET 2016
You can probably just have two "conn" sections where they differ, with a shared "%default" conn where they are the same, but I have not tried this myself.
The certificates issued by "Let's Encrypt" work fine as server certificates if you are going to use user/password authentication (eap-mschapv2) on the iOS client side.
sudo openssl x509 -in /etc/letsencrypt/live/vpn.example.com/fullchain.pem -text
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
. . .
. . .
X509v3 Subject Alternative Name:
The special rules for iOS and OS X are, of course, imposed by Apple rather than by Strongswan. They are described in the Strongswan wiki on the page https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) especially in the sections "Certificate requirements for iOS interoperability" and "Certificate examples using strongSwan PKI tool"
More information about the Users