I may not fully understand the FQDN requirement.
The two names that have to match I did.
Guide says:
Local ID must be set to the IPFire’s FQDN prefixed by an “@” sign. Remote ID must be the system’s hostname prefixed by an “@” sign and the hostname must also be added to the certificate as “Subject Alternative Name” prefixed with “DNS:”
Disable WiFi on my iPad to test. Won’t work.
Any suggestions what’s wrong with my settings ?
I think I may not fully understand this requirement:
The IPFire system should have a FQDN which resolves from the public Internet
How do I obtain that ?
Isn’t this the same name as the header on top when accessing the web interface
So, in the host certificate and as the local ID, you will have to use the FQDN under which that IPFire system is reachable from the internet. That usually is something like example.dyndns.org unless you have your own domain and a static IP address.
Apple macOS and iOS validate this when they check the certificate and so does IPFire.
For the remote ID, you can use whatever hostname you like. It does not need to resolve, but it needs to be the same in the ID field and further down in the SAN field.
The documentation is unfinished and I have been spending some time on it, so please raise your hand if anything is unclear.
So I went with no-ip.com
I assume the free version requires me to login and renew every 30 days. Paid is a fair price around $25 a year.
Anyway. Still not working. It was obviously an error by me how I configure first time.
Now I can ping my in-ip (ddns.net) easily.
So this was great help.
What’s your next suggestion in order to locate the problem I have ?
Where to look ?
I deleted previous iPad profiles, so I think no problem there. Actually one more or less have to, in order to install a new profile.
Edit
Seems I should create a new certificate.
The CA certificate must contain a subjectAlternativeName with the system’s FQDN which must be used for IPsec, too“
Based on that information, how to implement correct parameters in IPSec in my case ?
Also, when creating the certificate, is FQND a requirement?
What parameters in certificate need to comply with iPfire settings ?
I have a working xxxx.ddns.net that I can ping, so FQND should be OK.
The local subnet settings must be wrong ? This is what was predefined by iPfire. (Shown in picture below).
Also I think DNS Servers should be 192.168.20.1 in my case. Correct ?
Or leave blank ?
Andreas and are must be in similar boats (situations).
I tried getting a certificate setup and that failed. Then I hoped pre-shared-key (PSK) must be easier. Ha! I was wrong! I cannot get either to work!
Since I cannot connect via Cert or PSK I am wildly guessing I setup the Global Configuration incorrectly OR I setup the Certificate Authorities and -Keys incorrectly.
So my setup is an iPhone SE (2 gen) connected to LTE. And talking to an IPFire box on CU 158 (IPFire 2.25 (x86_64) - Core Update 158).
iPhoneSE via LTE → Internet → IPFire box.
This is the only error-ish entry on the IPFire box in the messages log:
If I leave the Host-to-Net Endpoint blank then the server becomes ipfire.localdomain and there is no connection via the Internet to my IPFire box. So this doesn’t sound right…