[Vpn-help] 1.1 RC1 Bug?

Peter Eisch peter at boku.net
Tue Sep 19 11:58:48 CDT 2006

On 9/18/06 11:40 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:

> Brian Jones wrote:
>> I'll hit Peter up on that part. I found it odd that I can still connect with
>> nothing in the String. Granted I can't create a new hybrid xauth connection,
>> I can use the already created without a problem.  I wonder if that would be
>> the case with an import too, I'll have to try that out.
> Brian,
> If you are sending an asn1dn id, racoon will not verify it anywhere in
> hybrid mode even with id checking enabled unless there is a ...
> peers_identifier asn1dn "<your id>";
> ... configured. With hybrid mode, there isn't a whole lot of
> verification done by a gateway anyhow as the main authentication is your
> user id and password. Its probably best to use a FQDN and set it on the
> server so at least with Main Mode ( aka Identity protect ), there is a
> bit of added security.

In  hybrid, there can't be an ASN1DN for the local (client) as there isn't a
cert to draw it from (it should be in the subject of the cert).  Contriving
one from free-text doesn't make any sense.  The client shouldn't be offering
an ASN1DN to the server.  The client should see that the server's cert was
signed by the selected CA cert -- that should be the beginning and the end
of the auth that the client does of the server.

For RSASIG (and xauth+RSASIG) both sides need to match up happily.


NB.  I'm still running the 1.1b4, not 1.1rc1 -- so if my client is
materially different I'll update it before going any further.  Otherwise I
get the same messages as Brian was noting.

More information about the vpn-help mailing list