[a1pollo]

@SpiK369,@FrancYescO, ho generato ora piu' certificati con lo script, ho inserito una password qui:

Codice: [Seleziona]

CACERTPASSWORD="pignolo1" #if set will be asked when installing cert on clients or generating new clientCert
e funziona su tutti i certificati,quando li installo mi chiede la password

Codice: [Seleziona]

#!/bin/sh

echo "Installing strongswan..."

opkg install strongswan-default strongswan-pki strongswan-mod-dhcp
opkg list | grep strongswan-mod-eap-  | awk '{print $1}' | xargs opkg install

COUNTRYNAME="US"
CANAME="CATechnicolor"
ORGNAME="Technicolor"
CACERTPASSWORD="pignolo1" #if set will be asked when installing cert on clients or generating new clientCert
SERVERDOMAINNAME=$(uci get ddns.myddns_ipv4.domain) #"myvpnserver.dyndns.org"
CLIENTNAMES="client1 client2 client3" # or more " … myvpnclient2 muvpnclient3"
SHAREDSAN="myVpnClients" # iOS clients need to match a common SAN


[FrancYescO]

Si ma poi funziona test come password?

[a1pollo]

 Pignolo, ne ho messa una piu' lunga da 8 caratteri 

[SpiK369]

Cavoli, Sì ha lunghezza 13 caratteri. E' questo il problema?

[a1pollo]

No, ho provato ora e funziona anche una password da 13 caratteri, con 4 non funziona! la lunghezza minima non la so'.

@FrancYescO, potrebbe andare cosi', password automatica dal servizio ddns?

Codice: [Seleziona]

#!/bin/sh
COUNTRYNAME="US"
CANAME="CATechnicolor"
ORGNAME="Technicolor"
CACERTPASSWORD=$(uci get ddns.myddns_ipv4.password) #if set will be asked when installing cert on clients or generating new clientCert
SERVERDOMAINNAME=$(uci get ddns.myddns_ipv4.domain) #"myvpnserver.dyndns.org"
CLIENTNAMES="myvpnclient myvpnclient2 muvpnclient3" # or more " … myvpnclient2 muvpnclient3"
SHAREDSAN="myVpnClients" # iOS clients need to match a common SAN

cd /tmp

echo "Building certificates for [ $SERVERDOMAINNAME ] and client [ $CLIENTNAME (aka $SHAREDSAN) ] "

[ -f "/etc/ipsec.d/private/ca.p12" ] && ln -s /etc/ipsec.d/private/ca.p12 ca.p12

if [ -f "caKey.pem" ] ; then
  echo "caKey exists, using existing caKey for signing serverCert and clientCert...."
elif [ -f "ca.p12" ] ; then
  echo "CA keys bundle exists, accessing existing protected caKey for signing serverCert and clientCert...."
  openssl pkcs12 -in ca.p12 -nocerts -out caKey.pem
else
  echo "generating a new cakey for [ $CANAME ]"
  ipsec pki --gen --outform pem > caKey.pem
fi
echo "generating caCert for [ $CANAME ]..."
ipsec pki --self --lifetime 3652 --in caKey.pem --dn "C=$COUNTRYNAME, O=$ORGNAME, CN=$CANAME" --ca --outform pem > caCert.pem
openssl x509 -inform PEM -outform DER -in caCert.pem -out caCert.crt
echo "Now building CA keys bundle"
openssl pkcs12 -export -inkey caKey.pem -in caCert.pem -name "$CANAME" -certfile caCert.pem -caname "$CANAME" -out ca.p12 -password "pass:$CACERTPASSWORD"

echo "generating server certificates for [ $SERVERDOMAINNAME ]... "
ipsec pki --gen --outform pem > serverKey_$SERVERDOMAINNAME.pem
ipsec pki --pub --in serverKey_$SERVERDOMAINNAME.pem | ipsec pki --issue --lifetime 3652 --cacert caCert.pem --cakey caKey.pem --dn "C=$COUNTRYNAME, O=$ORGNAME, CN=$SERVERDOMAINNAME" --san="$SERVERDOMAINNAME" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert_$SERVERDOMAINNAME.pem
#openssl x509 -inform PEM -outform DER -in serverCert_$SERVERDOMAINNAME.pem -out serverCert_$SERVERDOMAINNAME.crt

for CLIENTNAME in $CLIENTNAMES; do
  if [ -f "clientCert_$CLIENTNAME.pem" ] ; then
    echo "clientCert for [ $CLIENTNAME ] exists, not generating new clientCert."
    continue
  fi
  echo "generating clientCert for [ $CLIENTNAME (aka $SHAREDSAN) ]..."
  ipsec pki --gen --outform pem > clientKey_$CLIENTNAME.pem
  ipsec pki --pub --in clientKey_$CLIENTNAME.pem | ipsec pki --issue --lifetime 3652 --cacert caCert.pem --cakey caKey.pem --dn "C=$COUNTRYNAME, O=$ORGNAME, CN=$CLIENTNAME" --san="$CLIENTNAME" --san="$SHAREDSAN" --outform pem > clientCert_$CLIENTNAME.pem
  openssl x509 -inform PEM -outform DER -in clientCert_$CLIENTNAME.pem -out clientCert_$CLIENTNAME.crt
  echo "Now building Client keys bundle for [ $CLIENTNAME ]"
  openssl pkcs12 -export -inkey clientKey_$CLIENTNAME.pem -in clientCert_$CLIENTNAME.pem -name "$CLIENTNAME" -certfile caCert.pem -caname "$CANAME" -out client_$CLIENTNAME.p12 -password "pass:$CACERTPASSWORD"
  rm clientKey_$CLIENTNAME.pem
  openssl x509 -inform PEM -outform DER -in clientCert_$CLIENTNAME.pem -out clientCert_$CLIENTNAME.crt
echo "remember that the password is [ $CACERTPASSWORD ] "
done
Questo il log

Codice: [Seleziona]

root@OpenWrt:~# ./setup.sh
Building certificates for [ myvpnserver.dyndns.org ] and client [  (aka myVpnClients) ]
generating a new cakey for [ CATechnicolor ]
generating caCert for [ CATechnicolor ]...
Now building CA keys bundle
generating server certificates for [ myvpnserver.dyndns.org ]...
generating clientCert for [ myvpnclient (aka myVpnClients) ]...
Now building Client keys bundle for [ myvpnclient ]
remember that the password is [ passdatredici ]
generating clientCert for [ myvpnclient2 (aka myVpnClients) ]...
Now building Client keys bundle for [ myvpnclient2 ]
remember that the password is [ passdatredici ]
generating clientCert for [ muvpnclient3 (aka myVpnClients) ]...
Now building Client keys bundle for [ muvpnclient3 ]
remember that the password is [ passdatredici ]
root@OpenWrt:~#


[SpiK369]

Porca miseria non posso provare... ho il modem in bootloop è andato storto qualcosa con agg. firmware con ultima GUI stable.... Sto cercando di risolvere senza seriale ma la vedo dura...

[ttt666]

Salve, causa passaggio ad IKEv2 di recente ho rimosso il pacchetto modgui-vpn ed eseguito lo script di FrancYescO dando:

Codice: [Seleziona]

curl -s https://raw.githubusercontent.com/FrancYescO/sharing_tg789/strongswan/setup.sh | sh
Lo script di ferma all'enable e all'avvio di ipsec (ultime 2 righe):

Codice: [Seleziona]

root@OpenWrt:~# /etc/init.d/ipsec enable
-ash: /etc/init.d/ipsec: not found
root@OpenWrt:~# /etc/init.d/ipsec start
-ash: /etc/init.d/ipsec: not found

Sembra pertanto corrotta la configurazione di ipsec e sono costretto ad avviarlo a mano da /usr/sbin: in particolare mancano i file ipsec presenti /etc/init.d/ e /etc/config/.

Ho provato a forzare la reinstallazione dei pacchetti indicati nello script usando --force-reinstall ma non è cambiato nulla 

Come ripristino ipsec e la sua configurazione corretta?

Grazie

[LuKePicci]

Se non riesci a restorare i files dai pacchetti originale mi sa che ti conviene resettare tutto.

[ttt666]

Alla fine il DGA4131 è andato in bootloop     Dopo 3 ore di recovery con TFTPD, bank planning, etc... sono tornato alla situazione di partenza.

Ho finalmente installato strongswan con lo script di FrancYescO e ora sto cercando di effettuare la prima connessione solo che ottengo il seguente errore (sia da Windows che da Android):

Codice: [Seleziona]

root@OpenWrt:~# logread -f
Sun Nov 14 22:56:00 2021 daemon.info charon: 05[NET] received packet: from CLIENT.IP[5897] to SERVER.IP[500] (716 bytes)
Sun Nov 14 22:56:00 2021 daemon.info charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Nov 14 22:56:00 2021 daemon.info charon: 05[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 14 22:56:00 2021 authpriv.info charon: 05[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 14 22:56:00 2021 daemon.info charon: 05[IKE] remote host is behind NAT
Sun Nov 14 22:56:00 2021 daemon.info charon: 05[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Sun Nov 14 22:56:00 2021 daemon.info charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sun Nov 14 22:56:00 2021 daemon.info charon: 05[NET] sending packet: from SERVER.IP[500] to CLIENT.IP[5897] (38 bytes)
Sun Nov 14 22:56:00 2021 daemon.info charon: 07[NET] received packet: from CLIENT.IP[5897] to SERVER.IP[500] (1036 bytes)
Sun Nov 14 22:56:00 2021 daemon.info charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Nov 14 22:56:00 2021 daemon.info charon: 07[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 14 22:56:00 2021 authpriv.info charon: 07[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 14 22:56:01 2021 daemon.info charon: 07[IKE] remote host is behind NAT
Sun Nov 14 22:56:01 2021 daemon.info charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sun Nov 14 22:56:01 2021 daemon.info charon: 07[NET] sending packet: from SERVER.IP[500] to CLIENT.IP[5897] (590 bytes)
Sun Nov 14 22:56:02 2021 daemon.info charon: 06[NET] received packet: from CLIENT.IP[5935] to SERVER.IP[4500] (1364 bytes)
Sun Nov 14 22:56:02 2021 daemon.info charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Sun Nov 14 22:56:02 2021 daemon.info charon: 06[ENC] received fragment #1 of 4, waiting for complete IKE message
Sun Nov 14 22:56:02 2021 daemon.info charon: 08[NET] received packet: from CLIENT.IP[5935] to SERVER.IP[4500] (1364 bytes)
Sun Nov 14 22:56:02 2021 daemon.info charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Sun Nov 14 22:56:02 2021 daemon.info charon: 08[ENC] received fragment #2 of 4, waiting for complete IKE message
Sun Nov 14 22:56:02 2021 daemon.info charon: 12[NET] received packet: from CLIENT.IP[5935] to SERVER.IP[4500] (1364 bytes)
Sun Nov 14 22:56:02 2021 daemon.info charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Sun Nov 14 22:56:02 2021 daemon.info charon: 12[ENC] received fragment #3 of 4, waiting for complete IKE message
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[NET] received packet: from CLIENT.IP[5935] to SERVER.IP[4500] (884 bytes)
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[ENC] received fragment #4 of 4, reassembling fragmented IKE message
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[IKE] received 157 cert requests for an unknown ca
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[IKE] received end entity cert "C=US, O=Technicolor, CN=myvpnclient1"
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[CFG] looking for peer configs matching SERVER.IP[%any]...CLIENT.IP[C=US, O=Technicolor, CN=myvpnclient1]
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[CFG] selected peer config 'rwEAPMSCHAPV2'
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[CFG]   using certificate "C=US, O=Technicolor, CN=myvpnclient1"
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[CFG] no issuer certificate found for "C=US, O=Technicolor, CN=myvpnclient1"
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[CFG]   issuer is "C=US, O=Technicolor, CN=CATechnicolor"
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[IKE] no trusted RSA public key found for 'C=US, O=Technicolor, CN=myvpnclient1'
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[IKE] peer supports MOBIKE
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sun Nov 14 22:56:02 2021 daemon.info charon: 09[NET] sending packet: from SERVER.IP[4500] to CLIENT.IP[5935] (80 bytes)

Suggerimenti?

[LuKePicci]

Dice che non trova il certificato CA della CA che hai generato. E' strano perchè lo script dovrebbe crearli e metterli tutti al loro psoto.

[FrancYescO]

Non so se c'entra qualcosa, ma quotandomi:

-avevo IPv6 abilitato nella LAN sul modem e per qualche motivo mi falliva l'handshake, appena disattivato subito si e' connesso dal client

[ttt666]

Grazie dei consigli innanzitutto.

Non ho IPV6 abilitato in lan ma credo di aver risolto il problema del certificato rigenerando le chiavi (come da script di FrancYescO).

Ora però ho questo errore (da client Android):

Codice: [Seleziona]

root@OpenWrt:~# logread -f
Mon Nov 15 21:33:14 2021 daemon.info charon: 15[NET] received packet: from CLIENT.IP[9356] to SERVER.IP[500] (716 bytes)
Mon Nov 15 21:33:14 2021 daemon.info charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mon Nov 15 21:33:14 2021 daemon.info charon: 15[IKE] CLIENT.IP is initiating an IKE_SA
Mon Nov 15 21:33:14 2021 authpriv.info charon: 15[IKE] CLIENT.IP is initiating an IKE_SA
Mon Nov 15 21:33:14 2021 daemon.info charon: 15[IKE] remote host is behind NAT
Mon Nov 15 21:33:14 2021 daemon.info charon: 15[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Mon Nov 15 21:33:14 2021 daemon.info charon: 15[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Mon Nov 15 21:33:14 2021 daemon.info charon: 15[NET] sending packet: from SERVER.IP[500] to CLIENT.IP[9356] (38 bytes)
Mon Nov 15 21:33:14 2021 daemon.info charon: 13[NET] received packet: from CLIENT.IP[9356] to SERVER.IP[500] (1036 bytes)
Mon Nov 15 21:33:14 2021 daemon.info charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mon Nov 15 21:33:14 2021 daemon.info charon: 13[IKE] CLIENT.IP is initiating an IKE_SA
Mon Nov 15 21:33:14 2021 authpriv.info charon: 13[IKE] CLIENT.IP is initiating an IKE_SA
Mon Nov 15 21:33:15 2021 daemon.info charon: 13[IKE] remote host is behind NAT
Mon Nov 15 21:33:15 2021 daemon.info charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mon Nov 15 21:33:15 2021 daemon.info charon: 13[NET] sending packet: from SERVER.IP[500] to CLIENT.IP[9356] (590 bytes)
Mon Nov 15 21:33:16 2021 daemon.info charon: 06[NET] received packet: from CLIENT.IP[9400] to SERVER.IP[4500] (1364 bytes)
Mon Nov 15 21:33:16 2021 daemon.info charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Mon Nov 15 21:33:16 2021 daemon.info charon: 06[ENC] received fragment #1 of 4, waiting for complete IKE message
Mon Nov 15 21:33:16 2021 daemon.info charon: 16[NET] received packet: from CLIENT.IP[9400] to SERVER.IP[4500] (1364 bytes)
Mon Nov 15 21:33:16 2021 daemon.info charon: 16[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Mon Nov 15 21:33:16 2021 daemon.info charon: 16[ENC] received fragment #2 of 4, waiting for complete IKE message
Mon Nov 15 21:33:16 2021 daemon.info charon: 05[NET] received packet: from CLIENT.IP[9400] to SERVER.IP[4500] (1364 bytes)
Mon Nov 15 21:33:16 2021 daemon.info charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Mon Nov 15 21:33:16 2021 daemon.info charon: 05[ENC] received fragment #3 of 4, waiting for complete IKE message
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[NET] received packet: from CLIENT.IP[9400] to SERVER.IP[4500] (884 bytes)
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[ENC] received fragment #4 of 4, reassembling fragmented IKE message
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[IKE] received cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[IKE] received 156 cert requests for an unknown ca
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[IKE] received end entity cert "C=US, O=Technicolor, CN=myvpnclient1"
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG] looking for peer configs matching SERVER.IP[%any]...CLIENT.IP[C=US, O=Technicolor, CN=myvpnclient1]
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG] selected peer config 'rwEAPMSCHAPV2'
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG]   using certificate "C=US, O=Technicolor, CN=myvpnclient1"
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG]   using trusted ca certificate "C=US, O=Technicolor, CN=CATechnicolor"
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG] checking certificate status of "C=US, O=Technicolor, CN=myvpnclient1"
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG] certificate status is not available
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG]   reached self-signed root ca with a path length of 0
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[IKE] authentication of 'C=US, O=Technicolor, CN=myvpnclient1' with RSA_EMSA_PKCS1_SHA2_256 successful
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG] constraint check failed: EAP identity '%any' required
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG] selected peer config 'rwEAPMSCHAPV2' inacceptable: non-matching authentication done
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[CFG] no alternative config found
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[IKE] peer supports MOBIKE
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mon Nov 15 21:33:16 2021 daemon.info charon: 07[NET] sending packet: from SERVER.IP[4500] to CLIENT.IP[9400] (80 bytes)

Suggerimenti?

[LuKePicci]

Te lo dice lui il problema, hai impostato male le EAP identity. Confronta quello che lo script ha generato con le settings che trovi sulla wiki di openwrt di riferimento. Facci anche sapere che client Android stai usando (nativo? app strongswan? altro?) e come l'hai configurata (screenshot please)

[ttt666]

Dopo svariate prove ora la VPN va che è un piacere...

Riepilogo:
dopo aver installato StrongSwan eseguendo l'ottimo script di FrancYescO (attivando la generazione di più certificati client), effettuare le seguenti modifiche al file '/etc/ipsec.conf':
   a) nella sezione conn rwPUBKEY decommentare la riga 'rightauth2=eap-mschapv2' per redirigere l'autenticazione su chiave pubblica
   b) nella sezione conn %default aggiungere la riga 'esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256' per maggiore compatibilità/performance

Non è necessario toccare nient'altro rispetto a quanto creato dallo script, almeno per una configurazione minimale.

Risultati test sulla lan interna WIFI 2.4GHz con server DGA4131 v. 18.3:
   - Client integrato in Windows 11 (importato certificato p12 e creazione VPN IKEv2) ---> download 37 Mb/s e upload 38 Mb/s
   - Client Android 7 con app ufficiale StrongSwan (importato certificato p12 e creazione VPN IKEv2) ---> download 33 Mb/s e upload 35 Mb/s

Codice: [Seleziona]

#### file '/etc/ipsec.conf' ####
config setup

conn %default
        keyexchange=ikev2
        ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
        esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
        left=%any
        leftauth=pubkey
        leftcert=serverCert_SERVER.IP.pem
        leftid=SERVER.IP
        leftsubnet=0.0.0.0/0;::/0
        right=%any
        rightsourceip=%dhcp
        eap_identity=%identity
        auto=add

conn rwEAPMSCHAPV2
        leftsendcert=always
        #rightauth=eap-mschapv2
        rightsendcert=never

conn rwPUBKEYIOS
        leftsendcert=always
        rightid=myVpnClients
        rightauth=pubkey
        rightca=caCert.pem
        #rightauth2=eap-mschapv2

conn rwEAPTLSIOS
        leftsendcert=always
        rightid=myVpnClients
        rightauth=eap-tls
        rightcert=caCert.pem
        #rightauth2=eap-mschapv2

conn rwPUBKEY
        rightauth=pubkey
        rightcert=caCert.pem
        rightauth2=eap-mschapv2

conn rwEAPTLS
        rightauth=eap-tls
        rightcert=caCert.pem

Grazie mille per il vostro supporto.

[LuKePicci]

Forse al punto a) intendevi dire di decommentare rightca=