IKEv2 with EAP-MSCHAPv2 changing from IP to DNS name

IPsec
Log in to reply
  • J

    I have an IKEv2 with EAP-MSCHAPv2 VPN up and running OK; my clients are connected to the IP-address of my firewall.
    I want to change this setup from IP-based to hostname based and am puzzled what the way to do this is.

    I have created a new certificate with an additional entry for my IPaddress and set the common name to my DNS hostname.
    What is the correct order to change this and minimize downtime?

    • Install new certificate on clients
    • Change certificate at VPN connection
    • change connections at client to connect using hostname instead of IP

    While changing this, will clients be able to connect using either IP or DNS or does the "My identifier" at the IPsec entry allways have to be the same as the entry that is entered at the (Windows 10) client.

    thank you very much

    0
  • jimp
    Rebel Alliance Developer Netgate

    You shouldn't need to touch the cert on the clients. They would only have the CA, not the server cert.

    All you need to do is change the server cert and then change where the clients connect.

    And for the record, the cert should have the hostname and IP address in the SAN list. But if you put the hostname in the CN, pfSense automatically adds a SAN for that as well, so it should be fine.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy