From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Easy IPsec connections for macOS & iOS Date: Thu, 28 May 2020 19:58:37 +0100 Message-ID: In-Reply-To: <354ceb0a-53d4-1510-05bb-b9239da9dfa9@rymes.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1594071398886042432==" List-Id: --===============1594071398886042432== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 28 May 2020, at 19:30, Tom Rymes wrote: >=20 > This is great news, Michael. I do believe that the host and root certs need= certain requirements for this to work? SANs come to mind. >=20 > I believe that this is resolved for new installations, but folks with older= installs and certificates might run into that old issue. Yes, that might indeed happen. You might have really really old certificates = that use MD5 or SHA1. Those should be replaced anyways. All new connections will be created with the correct configuration for the ce= rtificates. I still find the whole process a little bit too complicated, but I have no id= ea how to make it any better with the UI that we have. But luckily no manual = intervention is required any more. -Michael >=20 > Tom >=20 > On 05/28/2020 1:58 PM, Michael Tremer wrote: >> Hello, >> I have created a couple of patches for review. They intoduce creating >> IPsec roadwarrior connections for Apple devices. >> IPsec connections can be easily exported as an XML structure which >> can be imported into any iOS or macOS device. >> Those connections allow that all traffic from that device can be >> routed through an IPFire instance in a data center and split-horizon >> VPNs are supported, too. >> The configuration is as simple as usual although Apple has some >> (sane) requirements to certificate lifetimes and really makes sure >> that they are talking to the correct peer. >> I have added a wiki page that explains how the connection needs to >> be set up: >> https://wiki.ipfire.org/configuration/services/ipsec/apple >> I would like to encourage everyone to review my patches and test them >> as well as the provided documentation. >> As soon as I have some feedback, I would like to put this patchset >> forward to be merged into the next Core Update. >> Best, >> -Michael --===============1594071398886042432==--