[Vpn-help] 1.1 RC1 Bug?
Peter Eisch
peter at boku.net
Tue Sep 19 11:58:48 CDT 2006
On 9/18/06 11:40 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
> Brian Jones wrote:
>>
>> I'll hit Peter up on that part. I found it odd that I can still connect with
>> nothing in the String. Granted I can't create a new hybrid xauth connection,
>> I can use the already created without a problem. I wonder if that would be
>> the case with an import too, I'll have to try that out.
>>
>
> Brian,
>
> If you are sending an asn1dn id, racoon will not verify it anywhere in
> hybrid mode even with id checking enabled unless there is a ...
>
> peers_identifier asn1dn "<your id>";
>
> ... configured. With hybrid mode, there isn't a whole lot of
> verification done by a gateway anyhow as the main authentication is your
> user id and password. Its probably best to use a FQDN and set it on the
> server so at least with Main Mode ( aka Identity protect ), there is a
> bit of added security.
>
In hybrid, there can't be an ASN1DN for the local (client) as there isn't a
cert to draw it from (it should be in the subject of the cert). Contriving
one from free-text doesn't make any sense. The client shouldn't be offering
an ASN1DN to the server. The client should see that the server's cert was
signed by the selected CA cert -- that should be the beginning and the end
of the auth that the client does of the server.
For RSASIG (and xauth+RSASIG) both sides need to match up happily.
peter
NB. I'm still running the 1.1b4, not 1.1rc1 -- so if my client is
materially different I'll update it before going any further. Otherwise I
get the same messages as Brian was noting.
More information about the vpn-help
mailing list