[Vpn-help] Faulty remote ID checking Take 2 ...

Matthew Grooms mgrooms at shrew.net
Sat Sep 16 18:27:50 CDT 2006

Matthew Grooms wrote:

Alright, I think we should be good now ...

r636 | mgrooms | 2006-09-16 16:28:46 +0000 (Sat, 16 Sep 2006) | 11 lines

Rewrite the site configuration manager id handling functions. When the
user selects a new authentication or exchange type, only reset the ID
type and associated data if it is no longer valid.

Allow all id types for RSA authentication modes instead of only asn1dn.
While this offers more flexibility for configuration, its not usually a
good idea. Typically when a gateway has id checking enabled, it will
reject any ID except for a valid asn1dn because the value wont match the
subject name in the certificate payload later offered by the peer being

Allow for asn1dn IDs to be manually entered in the Site Configuration.
The DN must be an exact match for peer authentication to complete
successfully. The delimiter used for the manually entered DNs may be
forward slashes or commas.

Conitnue to allow the asn1dn subject to be pulled from the local
certificate for use as the local ID when a mutual RSA mode is selected.
Remove the option for pulling the asn1dn subject from the remote
certificate as it could not be used for ID comparison. The peer would
offer its certificate subject ID and not the CA subject id which is what
we have a copy of. If a peer asn1dn value is not manually entered for a
site configuration, the remote id offered by the peer with not be
verified with a specific ID value but will be used to compare against
any future cert payload subjects that are offered in the future. This is
the same behavior as ipsec-tools.

Add two new functions to ipsecd to convert from text to asn1dn and back
to text. Add a new function for creating a peerid from the site
configuration parameters for either the initiator or the responder. Add
another function to compare two arbitrary id types. Use these functions
instead of in-lining the logic in other places where it does not belong.



Please let me know if this works for everyone.



More information about the vpn-help mailing list