Hi,
On 28 May 2020, at 19:30, Tom Rymes trymes@rymes.com wrote:
This is great news, Michael. I do believe that the host and root certs need certain requirements for this to work? SANs come to mind.
I believe that this is resolved for new installations, but folks with older installs and certificates might run into that old issue.
Yes, that might indeed happen. You might have really really old certificates that use MD5 or SHA1. Those should be replaced anyways.
All new connections will be created with the correct configuration for the certificates.
I still find the whole process a little bit too complicated, but I have no idea how to make it any better with the UI that we have. But luckily no manual intervention is required any more.
-Michael
Tom
On 05/28/2020 1:58 PM, Michael Tremer wrote:
Hello, I have created a couple of patches for review. They intoduce creating IPsec roadwarrior connections for Apple devices. IPsec connections can be easily exported as an XML structure which can be imported into any iOS or macOS device. Those connections allow that all traffic from that device can be routed through an IPFire instance in a data center and split-horizon VPNs are supported, too. The configuration is as simple as usual although Apple has some (sane) requirements to certificate lifetimes and really makes sure that they are talking to the correct peer. I have added a wiki page that explains how the connection needs to be set up: https://wiki.ipfire.org/configuration/services/ipsec/apple I would like to encourage everyone to review my patches and test them as well as the provided documentation. As soon as I have some feedback, I would like to put this patchset forward to be merged into the next Core Update. Best, -Michael