Changes

So far we === Create the CA and the client certificates ===  ikectl ca VPN create ikectl ca VPN install ikectl ca VPN certificate swtch.mgk.ro create server ikectl ca VPN certificate swtch.mgk.ro install ikectl ca VPN certificate emerald.local create client ikectl ca VPN certificate emerald.local install ikectl ca VPN certificate emerald.local export Move emerald.local.tgz to client machine. === iked.conf === We are using pre shared keyscertificates (default).

ikev2 "vpn" passive ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ from ::0/0 to ::0/0 \ local egress peer any \ psk "XXXXX" ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid swtch.mgk.ro \ config address 172.24.24.0/24 \ config address 2001:470:8c78203a:a0::/64 \ config name-server 172.24.24.1 \ config name-server 2001:470:8c78203a:a0::1 \ tag "vpn$name-$id" tap enc0

You need [https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2] to create a MDM profile. Use the hostname of the server for both "server address" and "remote ID". "Local ID" can should be blankthe FQDN you used when creating the client certificate. Use authentication setting "none", Load the exported certificates (both the CA and fill the "shared secret"client certificate) in the MDM profile.

* [https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html | Protecting my macOS and iOS devices with an OpenBSD VPN]