I have configured ikev2 vpn on a strongswan server and a Windows 10 client, and it works fine.
The authorization method is leftauth=pubkey
and rightauth=eap-mschapv2
.
Because the leftcert to authorize a server is self-signed, I have to import CA cert on the machine, which is a bit tricky. Then I wonder whether I can use a certificate from a public CA so that I don't need to import on client machine.
I tried to put Root CA cert and Intermediate CA cert in ipsec.d/cacerts
on the server, but the client keeps getting 13801 error . After I install intermediate cert in client machine, it works just fine. Obviously, the 13801 error is due to intermediate cert not imported.
Is there any way to config the server so that the client don't need to import intermediate cert?
Best Answer
Yes i believe you can do that. If you check this IKEV2 tutorial this guy is telling a way to use Lets encyrpt certificate instead of using a private certificate. As stated under VPN Server section in Readme:
You need to install a public certificate on your server following this.
In order to know how to use this certificate, check setup.sh on the above given IKEV2 Tutorial
Please go through the **setup.sh ** using your prior knwoledge of IKEV2 (strongswan) server configuration to fully understand the script.