[Vpn-help] 1.1 RC1 Bug?

Brian Jones brian at boku.net
Mon Sep 18 23:29:14 CDT 2006 

> 
> Brian,
> 
> 	Yes. This behavior has changed. Here are the pertinent entries from
> the
> change log ...
> 
> Allow all id types for RSA authentication modes instead of only asn1dn.
> While this offers more flexibility for configuration, its not usually a
> good idea. Typically when a gateway has id checking enabled, it will
> reject any ID except for a valid asn1dn because the value wont match the
> subject name in the certificate payload later offered by the peer being
> identified.
> 
> Allow for asn1dn IDs to be manually entered in the Site Configuration.
> The DN must be an exact match for peer authentication to complete
> successfully. The delimiter used for the manually entered DNs may be
> forward slashes or commas.
> 
> Conitnue to allow the asn1dn subject to be pulled from the local
> certificate for use as the local ID when a mutual RSA mode is selected.
> Remove the option for pulling the asn1dn subject from the remote
> certificate as it could not be used for ID comparison. The peer would
> offer its certificate subject ID and not the CA subject id which is what
> we have a copy of. If a peer asn1dn value is not manually entered for a
> site configuration, the remote id offered by the peer with not be
> verified with a specific ID value but will be used to compare against
> any future cert payload subjects that are offered in the future. This is
> the same behavior as ipsec-tools.
> 
> ... If you are using hybrid mode authentication, you need to specify
> some sort of id information for the client and server. It will complain
> at connect time if the validation fails. The sad fact is the code was
> just flat out broken before and I failed to identify there was a
> problem. Peter reported the issue which led to more or less rewriting
> all the client id support. The difference now is that the ID data is
> more strictly checked and verified. You may want to check with Peter to
> see how the ID verification is configured on your gateway.
> 
> Does this help? Let me know if you have any more questions.
> 
> Thanks,
> 
> -Matthew

I'll hit Peter up on that part. I found it odd that I can still connect with
nothing in the String. Granted I can't create a new hybrid xauth connection,
I can use the already created without a problem.  I wonder if that would be
the case with an import too, I'll have to try that out.

More information about the vpn-help mailing list