[Vpn-help] 1.1 RC1 Bug?

Peter Eisch peter at boku.net
Tue Sep 19 13:57:45 CDT 2006

On 9/19/06 1:28 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:

> Matthew Grooms wrote:
>> Why are you trying to leave id data blank in hybrid mode? Hybrid
>> authentication still happens after phase1 completes which means the
>> gateway still performs a peer ID check unless you have specifically
>> disabled this.
> This is a half truth. The gateway will still perform and ID check unless
> you have specifically disabled this or don't have peers_identifier
> specified in the racoon.conf file. If your trying to go by the book,
> this wouldn't be disabled and you would specify a peer identifier for
> racoon to check at least for main mode. It adds a extra layer of
> security because the gateway will verify your identity which can't be
> pulled out of the clear text portion of the phase1 negotiation. For
> aggressive mode, the initiators identifier is in plain text so it
> doesn't buy you much.

So for hybrid, what would the correct local asn1dn be?  I know what's in the
subject of the peer's cert, so I can guess what to use in the remote field.


More information about the vpn-help mailing list