IPsec IKEv2 configuration for multiple servers with a single CA root certificate?
1.1 - WIKI:
* Common name should contain IP or DNS name of the server;
It is possible to use an example DNS: “*.domain.com” that includes server1.domain.com and server2.domain.com?
* SAN (subject alternative name) should have IP or DNS of the server;
It is possible to use an example DNS: “*.domain.com” that includes server1.domain.com and server2.domain.com?
* EKU (extended key usage) tls-server and tls-client are required.
No problem at the moment, android does not request client certificate
1.2 - The way I generated the certificates but the strongswan android client fails because it doesn’t find “server1.domain.com” it finds “* .domain.com”
/certificate
add name="CA" country="XX" state="XX" locality="XX" \
organization="XX" common-name="ikev2" key-size=2048 \
days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign
/certificate
sign CA_ikev2_vpnptp.ca ca-crl-host=*.domain.com
It’s possible ca-crl-host?? *.domain.com
/certificate
add name="Server_ikev2" country="XX" state="XX" locality="XX" \
organization="XX" common-name="*.domain.com" \
subject-alt-name="DNS:*.domain.com" key-size=2048 days-valid=3650 \
trusted=yes key-usage=tls-server
/certificate
sign Server_ikev2 ca=CA ca-crl-host=*.domain.com
It’s possible DNS:?? *.domain.com
It’s possible ca-crl-host?? *.domain.com
Regards.