[Vpn-help] 1.1 RC1 Bug?

Matthew Grooms mgrooms at shrew.net
Mon Sep 18 23:11:17 CDT 2006 

Brian Jones wrote:
> With the 1.1RC1 client, if I open a config and then try to save it I get 
> a message "Configuration Error" "Please specify a valid local id data" 
> and of course if I put random numbers in the ASN1DN String box, I get 
> "Please specify a valid remote id data."  Is this suppose to be like 
> that?  I don't recall ever seeing that previously.
> 

Brian,

	Yes. This behavior has changed. Here are the pertinent entries from the 
change log ...

Allow all id types for RSA authentication modes instead of only asn1dn.
While this offers more flexibility for configuration, its not usually a
good idea. Typically when a gateway has id checking enabled, it will
reject any ID except for a valid asn1dn because the value wont match the
subject name in the certificate payload later offered by the peer being
identified.

Allow for asn1dn IDs to be manually entered in the Site Configuration.
The DN must be an exact match for peer authentication to complete
successfully. The delimiter used for the manually entered DNs may be
forward slashes or commas.

Conitnue to allow the asn1dn subject to be pulled from the local
certificate for use as the local ID when a mutual RSA mode is selected.
Remove the option for pulling the asn1dn subject from the remote
certificate as it could not be used for ID comparison. The peer would
offer its certificate subject ID and not the CA subject id which is what
we have a copy of. If a peer asn1dn value is not manually entered for a
site configuration, the remote id offered by the peer with not be
verified with a specific ID value but will be used to compare against
any future cert payload subjects that are offered in the future. This is
the same behavior as ipsec-tools.

... If you are using hybrid mode authentication, you need to specify 
some sort of id information for the client and server. It will complain 
at connect time if the validation fails. The sad fact is the code was 
just flat out broken before and I failed to identify there was a 
problem. Peter reported the issue which led to more or less rewriting 
all the client id support. The difference now is that the ID data is 
more strictly checked and verified. You may want to check with Peter to 
see how the ID verification is configured on your gateway.

Does this help? Let me know if you have any more questions.

Thanks,

-Matthew

More information about the vpn-help mailing list