0

I am a new member in IKEv2, and I want to install an IKEv2 vpn on an ubuntu 18.04 server, I did it through this tutorial , but I have a couple of questions.

First how can I configure its remote id, because I use a url for that in my ios app.

The second is how can I omit using cert file in client, I mean I want to login it with just username and password and I don’t want to trust the cert in client devices, because I use it in an app.

mohsen
  • 113
  • 1
  • 6
  • 1
    What remote ID exactly? What do you mean with "use a url for that"? The tutorial you referenced doesn't use client certificates, so not sure if your second question aims at the self-signed server certificate. Just create your server certificate via Let's Encrypt if you want to avoid installing your CA on the clients. – ecdsa Aug 27 '20 at 11:25
  • @ecdsa thanks for comment, I installed it on an ubuntu server and I use Ip for vpn server address, but I want to use a url ( ex: sec.mydomain.com) for all my servers remote id. And the next I don’t want to install the cert in clients, because I must use it on an ios app – mohsen Aug 27 '20 at 12:14
  • 1
    Just configure that domain name as identity in _leftid_ then (must match a subjectAltName extension in the certificate). And as I said, get your certificate for your server from [Let's Encrypt](https://letsencrypt.org/) (or a commercial CA) so you don't have to install anything on the client. – ecdsa Aug 28 '20 at 06:39
  • @ecdsa thank you so so much, if you can put it on the answer for allowing me to accept as the right answer. – mohsen Aug 28 '20 at 07:59

1 Answers1

1

To use a domain name instead of an IP address as identity of the server, just configure it as local identity there (e.g. in leftid in ipsec.conf). The configured identity has to be contained in a subjectAlternativeName extension in the server certificate.

To avoid having to install any certificates on the clients, use a server certificate issued by an already trusted Certificate Authority (CA). You can do so for free via Let's Encrypt, or alternatively buy a certificate from a commercial CA.

ecdsa
  • 3,973
  • 15
  • 29