[Vpn-help] 1.1 RC1 Bug?
Matthew Grooms
mgrooms at shrew.net
Tue Sep 19 13:17:35 CDT 2006
Peter Eisch wrote:
> On 9/18/06 11:40 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
>
> In hybrid, there can't be an ASN1DN for the local (client) as there isn't a
> cert to draw it from (it should be in the subject of the cert). Contriving
> one from free-text doesn't make any sense. The client shouldn't be offering
> an ASN1DN to the server. The client should see that the server's cert was
> signed by the selected CA cert -- that should be the beginning and the end
> of the auth that the client does of the server.
Its not any more contrived than inventing an arbitrary fqdn or ufqdn for
the server to match. An asn1dn is just and asn1 encoded string in DN
format. There is no restriction defined for what authentication methods
it can be used with. Although the ID compliments the use of
certificates, the fact that the subject can be pulled automatically in
some instances is inconsequential unless you use an RSA mutual
authentication mode.
> NB. I'm still running the 1.1b4, not 1.1rc1 -- so if my client is
> materially different I'll update it before going any further. Otherwise I
> get the same messages as Brian was noting.
>
I think the rc1 had a few more fixes than b4 but can't recall if they
were id related.
Why are you trying to leave id data blank in hybrid mode? Hybrid
authentication still happens after phase1 completes which means the
gateway still performs a peer ID check unless you have specifically
disabled this.
Do you want an option in the client to not provide an ID payload? I
don't know how racoon would deal with this as it keeps track of what
payloads it has received and may fail even with id checking disabled.
Thanks,
-Matthew
More information about the vpn-help
mailing list