Confuse to use Server Certifcate Common name for IPSec Mobile with EAP-MSCHAPv2



  • I have confused to use Server Certifcate Common name for IPSec Mobile with EAP-MSCHAPv2 (for Windows Client)
    when I read a pfSense document on a Gold Subscription. The Common name of Server Certifcate have to use or "enter the Common Name as the hostname of the firewall as it exists in DNS".

    Example: my pfSense firewall at General Setup >Hostname: zwolle and Domain: ned.example.com = zwolle.ned.example.com and
    I put "zwolle.ned.example.com" of pfSense firewall hostname in to the Common name of Server Certificate.

    When I try to use Windows 10 Mobile Client  to connect to IPSec VPN with common name "zwolle.ned.example.com". It could not connect because the name could not resolve.
    but when i used real WAN Public IP address I don't have any issue and work find.

    This this is my testing network running Active Directory (domain: ned.example.com)

    Do I have to ask provider to registry the name "zwolle.ned.example.com" (FQDN) of my pfSense firewall hostname to be exists in DNS?

    Thank you

    Donny



  • Yes. You have to register a DNS A-record for that FQDN(which you can't really do in your case, because i doubt that you own the domian example.com)
    Purchase a domain(very cheap these days)  that you can use for your test setup/AD/DNS. For example testzwolle.com.
    Then you have complete control of the public DNS belonging to this domain.

    You have to be able to resolve the FQDN (example: vpn.testzwolle.com) to an IP address.
    The point being if you change the IP in the future, you dont have to re-issue new certificates that points to the new IP, but only change the DNS A-record for "vpn.testzwolle.com".
    It makes future maintenance easier ;)

    I hope what i wrote makes sense  :o

    P.S. This post really dosen't belong under 2.3Beta. I recommend that it gets moved to an appropriate part of the forum.



  • When I try to use Windows 10 Mobile Client  to connect to IPSec VPN with common name "zwolle.ned.example.com". It could not connect because the name could not resolve.
    but when i used real WAN Public IP address I don't have any issue and work find.

    As this is a test environment, you could always create a forward lookup zone in your DNS server or even edit the host file in this instance. Both should achieve the desired results.



  • @jonathanbaird:

    When I try to use Windows 10 Mobile Client  to connect to IPSec VPN with common name "zwolle.ned.example.com". It could not connect because the name could not resolve.
    but when i used real WAN Public IP address I don't have any issue and work find.

    As this is a test environment, you could always create a forward lookup zone in your DNS server or even edit the host file in this instance. Both should achieve the desired results.

    I already create a forward lookup zone "zwolle.ned.example.com" in my DNS server Active Directory. and still can not connect

    In forward lookup zone DNS server, Do I have to use public IP address or pfsense LAN IP with "zwolle.ned.example.com"?

    Thank you  very much



  • @Donny:

    @jonathanbaird:

    When I try to use Windows 10 Mobile Client  to connect to IPSec VPN with common name "zwolle.ned.example.com". It could not connect because the name could not resolve.
    but when i used real WAN Public IP address I don't have any issue and work find.

    As this is a test environment, you could always create a forward lookup zone in your DNS server or even edit the host file in this instance. Both should achieve the desired results.

    I already create a forward lookup zone "zwolle.ned.example.com" in my DNS server Active Directory. and still can not connect

    In forward lookup zone DNS server, Do I have to use public IP address or pfsense LAN IP with "zwolle.ned.example.com"?

    Thank you  very much

    It depends where your pfSense is situated, if it is over a WAN you would use the public IP address. If you PING zwolle.ned.example.com does it resolve to an IP address at all?



  • The only way I got things to work is by assigning both the CA and IKEv2 certificate  with the same fully qualified domain name as is listed under general



  • @kapara:

    The only way I got things to work is by assigning both the CA and IKEv2 certificate  with the same fully qualified domain name as is listed under general

    Ok I will try and let you know.

    Thank you

    Donny



  • All should be the same like this: pfSense.domain.com and you should create an A record in DNS with your domain registrar or with whomever hosts your DNS.

    I am assuming you are importing the very into the trusted root certificates on the remote machines.



  • Thank you to everyone for help.

    I will try this weekend from the people who have suggested me about this.

    Donny



  • Now IPSec Mobile work fine.
    1. I made a record FQDN my pfsene hostname: zwolle.xxxxx.com with Public WAN IP Address from my ISP in to the domain name system (DNS): xxxxx.com
    2. At local host computer windows 10, I tested PING to FQDN pfsene hostname > zwolle.xxxxx.com. it is worked.
    3. Create IPSec CA certificate, the common name whatever
    4. Create Sever Certificate to Common Name with FQDN pfsene hostname > zwolle.xxxxx.com. For Alternative name, I don't use Max OS, Linux and etc.
    5. Setup IPSec tunnel Phase 1 My identifier to Distinguished name with "zwolle.xxxxx.com" that is the same common name on Server Certificate.
    6. Another setup is the same pfsense document wiki
    7. export only IPSec CA to Windows 10 Client and then installation IPSec CA to Trusted Root Certificate Authorities.
    8. configuration the propertie of IPSec Connection adapter example at Security tab > IKEv2, Requir encryption and Secured password (EAP-MSCHAPv2) (encryption enable)
    9. test the connect by use username and password that created on Pre-SharedKeys tab
    10. finally connected and can ping to local host, copy files and etc.

    Donny



  • @Donny:

    Now IPSec Mobile work fine.
    1. I made a record FQDN my pfsene hostname: zwolle.xxxxx.com with Public WAN IP Address from my ISP in to the domain name system (DNS): xxxxx.com
    2. At local host computer windows 10, I tested PING to FQDN pfsene hostname > zwolle.xxxxx.com. it is worked.
    3. Create IPSec CA certificate, the common name whatever
    4. Create Sever Certificate to Common Name with FQDN pfsene hostname > zwolle.xxxxx.com. For Alternative name, I don't use Max OS, Linux and etc.
    5. Setup IPSec tunnel Phase 1 My identifier to Distinguished name with "zwolle.xxxxx.com" that is the same common name on Server Certificate.
    6. Another setup is the same pfsense document wiki
    7. export only IPSec CA to Windows 10 Client and then installation IPSec CA to Trusted Root Certificate Authorities.
    8. configuration the propertie of IPSec Connection adapter example at Security tab > IKEv2, Requir encryption and Secured password (EAP-MSCHAPv2) (encryption enable)
    9. test the connect by use username and password that created on Pre-SharedKeys tab
    10. finally connected and can ping to local host, copy files and etc.

    Donny

    Just want to be sure. the way i did it above, is it correct?

    Thank you. Donny


Log in to reply