0

I am a new member in IKEv2, and I want to install an IKEv2 vpn on an ubuntu 18.04 server, I did it through this tutorial , but I have a couple of questions.

First how can I configure its remote id, because I use a url for that in my ios app.

The second is how can I omit using cert file in client, I mean I want to login it with just username and password and I don’t want to trust the cert in client devices, because I use it in an app.

4
  • 1
    What remote ID exactly? What do you mean with "use a url for that"? The tutorial you referenced doesn't use client certificates, so not sure if your second question aims at the self-signed server certificate. Just create your server certificate via Let's Encrypt if you want to avoid installing your CA on the clients.
    – ecdsa
    Commented Aug 27, 2020 at 11:25
  • @ecdsa thanks for comment, I installed it on an ubuntu server and I use Ip for vpn server address, but I want to use a url ( ex: sec.mydomain.com) for all my servers remote id. And the next I don’t want to install the cert in clients, because I must use it on an ios app
    – mohsen
    Commented Aug 27, 2020 at 12:14
  • 1
    Just configure that domain name as identity in leftid then (must match a subjectAltName extension in the certificate). And as I said, get your certificate for your server from Let's Encrypt (or a commercial CA) so you don't have to install anything on the client.
    – ecdsa
    Commented Aug 28, 2020 at 6:39
  • @ecdsa thank you so so much, if you can put it on the answer for allowing me to accept as the right answer.
    – mohsen
    Commented Aug 28, 2020 at 7:59

1 Answer 1

1

To use a domain name instead of an IP address as identity of the server, just configure it as local identity there (e.g. in leftid in ipsec.conf). The configured identity has to be contained in a subjectAlternativeName extension in the server certificate.

To avoid having to install any certificates on the clients, use a server certificate issued by an already trusted Certificate Authority (CA). You can do so for free via Let's Encrypt, or alternatively buy a certificate from a commercial CA.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .