Clarifications for certificates for IKEv2+MSCHAP
-
I’m following the instructions here:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Server_Certificate
but would like to clarify a few things:
-
The pfsense UI seems to have changed since this wiki text was written. Where it talks about entering the Alternative Names, the 'type field' seems now to be a popup.
a) where it says "DNS" does it mean "FQDN or hostname"?
b) where it says "IP" it surely means "IP address"? -
it says “Enter the Common Name as the hostname of the firewall as it exists in DNS." Am I correct in thinking this means the public hostname and public DNS? (as opposed to LAN side) Can it be a CNAME or must it be an A record? ex: if I have only 1 public IP, and my A record is www.example.com and I have a CNAME that is vpn.example.com, what must I use?
Thanks,
Sean
-
-
Well, I finally have my VPN mostly working. It seems the answers to #1 is yes and yes.
But I'd still like to know about #2. I have two 'A' records for my public IP and using one of them for my certificate allows the VPN to work, but using the other it doesn't. I don't understand that.