[Vpn-help] Fix for faulty remote ID checking ...
Matthew Grooms
mgrooms at shrew.net
Fri Sep 15 19:43:47 CDT 2006
Matthew Grooms wrote:
> Peter Eisch wrote:
>> On 9/15/06 12:24 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
>>
>>>> It would seem to me that the client should make some effort to auth the
>>>> server given the policy. Oddly I like the behavior, but it doesn't seem
>>>> to make any sense or could be seen to be a security hole.
>>>>
>>>> Bewildered,
>>>>
>
> Peter,
>
> Well, that wasn't fun. I ran out of state bits so I had to split the
> life and transmit state into two bit masks. This meant I had to touch
> every state set/check in ipsecd. Anyhow, here is the result ...
>
> ------------------------------------------------------------------------
> r635 | mgrooms | 2006-09-15 16:10:41 +0000 (Fri, 15 Sep 2006) | 3 lines
>
> Split the SA state flags into life stat and transmit state flags. We ran
> out of bit flags.
>
> Rework the peer identity check code. Match the ID values and optionally
> send a notification when a failure occurs.
> ------------------------------------------------------------------------
>
Sorry folks, I think I found a problem with the matching for asn1dn ID
types. There maybe something fundamental I am missing wrt this type of
ID and how they relate to certificate requests. I will dig through the
RFC's and racoon and re-post a new build when I have this sorted out.
Thanks,
-Matthew
More information about the vpn-help
mailing list