IKEv2 with EAP-MSCHAPv2 changing from IP to DNS name

  • I have an IKEv2 with EAP-MSCHAPv2 VPN up and running OK; my clients are connected to the IP-address of my firewall.
    I want to change this setup from IP-based to hostname based and am puzzled what the way to do this is.

    I have created a new certificate with an additional entry for my IPaddress and set the common name to my DNS hostname.
    What is the correct order to change this and minimize downtime?

    • Install new certificate on clients
    • Change certificate at VPN connection
    • change connections at client to connect using hostname instead of IP

    While changing this, will clients be able to connect using either IP or DNS or does the "My identifier" at the IPsec entry allways have to be the same as the entry that is entered at the (Windows 10) client.

    thank you very much

  • Rebel Alliance Developer Netgate

    You shouldn't need to touch the cert on the clients. They would only have the CA, not the server cert.

    All you need to do is change the server cert and then change where the clients connect.

    And for the record, the cert should have the hostname and IP address in the SAN list. But if you put the hostname in the CN, pfSense automatically adds a SAN for that as well, so it should be fine.