[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfire-development
Subject:    Re: Easy IPsec connections for macOS & iOS
From:       Michael Tremer <michael.tremer () ipfire ! org>
Date:       2020-05-28 18:58:37
Message-ID: D98E6860-E2C3-4B51-8BAA-FE95DE1A642B () ipfire ! org
[Download RAW message or body]

Hi,

> On 28 May 2020, at 19:30, Tom Rymes <trymes@rymes.com> wrote:
> 
> This is great news, Michael. I do believe that the host and root certs need certain \
> requirements for this to work? SANs come to mind. 
> I believe that this is resolved for new installations, but folks with older \
> installs and certificates might run into that old issue.

Yes, that might indeed happen. You might have really really old certificates that use \
MD5 or SHA1. Those should be replaced anyways.

All new connections will be created with the correct configuration for the \
certificates.

I still find the whole process a little bit too complicated, but I have no idea how \
to make it any better with the UI that we have. But luckily no manual intervention is \
required any more.

-Michael

> 
> Tom
> 
> On 05/28/2020 1:58 PM, Michael Tremer wrote:
> > Hello,
> > I have created a couple of patches for review. They intoduce creating
> > IPsec roadwarrior connections for Apple devices.
> > IPsec connections can be easily exported as an XML structure which
> > can be imported into any iOS or macOS device.
> > Those connections allow that all traffic from that device can be
> > routed through an IPFire instance in a data center and split-horizon
> > VPNs are supported, too.
> > The configuration is as simple as usual although Apple has some
> > (sane) requirements to certificate lifetimes and really makes sure
> > that they are talking to the correct peer.
> > I have added a wiki page that explains how the connection needs to
> > be set up:
> > https://wiki.ipfire.org/configuration/services/ipsec/apple
> > I would like to encourage everyone to review my patches and test them
> > as well as the provided documentation.
> > As soon as I have some feedback, I would like to put this patchset
> > forward to be merged into the next Core Update.
> > Best,
> > -Michael


[prev in list] [next in list] [prev in thread] [next in thread]