Clarifications for certificates for IKEv2+MSCHAP



  • I’m following the instructions here:

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Server_Certificate

    but would like to clarify a few things:

    1. The pfsense UI seems to have changed since this wiki text was written. Where it talks about entering the Alternative Names, the 'type field' seems now to be a popup.
      a) where it says "DNS" does it mean "FQDN or hostname"?
      b) where it says "IP" it surely means "IP address"?

    2. it says “Enter the Common Name as the hostname of the firewall as it exists in DNS."  Am I correct in thinking this means the public hostname and public DNS? (as opposed to LAN side)  Can it be a CNAME or must it be an A record? ex: if I have only 1 public IP, and my A record is www.example.com and I have a CNAME that is vpn.example.com, what must I use?

    Thanks,

    Sean



  • Well, I finally have my VPN mostly working. It seems the answers to #1 is yes and yes.

    But I'd still like to know about #2.  I have two 'A' records for my public IP and using one of them for my certificate allows the VPN to work, but using the other it doesn't.  I don't understand that.