[Vpn-help] 1.1 RC1 Bug?
Matthew Grooms
mgrooms at shrew.net
Tue Sep 19 13:28:39 CDT 2006
Matthew Grooms wrote:
>
> Why are you trying to leave id data blank in hybrid mode? Hybrid
> authentication still happens after phase1 completes which means the
> gateway still performs a peer ID check unless you have specifically
> disabled this.
>
This is a half truth. The gateway will still perform and ID check unless
you have specifically disabled this or don't have peers_identifier
specified in the racoon.conf file. If your trying to go by the book,
this wouldn't be disabled and you would specify a peer identifier for
racoon to check at least for main mode. It adds a extra layer of
security because the gateway will verify your identity which can't be
pulled out of the clear text portion of the phase1 negotiation. For
aggressive mode, the initiators identifier is in plain text so it
doesn't buy you much.
Sorry if my previous statement was confusing. I was up until 4:30 this
morning trying to complete the transparent DNS proxy rewrite for 2.0 :)
Thanks,
-Matthew
More information about the vpn-help
mailing list