[Vpn-help] 1.1 RC1 Bug?
Peter Eisch
peter at boku.net
Tue Sep 19 13:57:45 CDT 2006
On 9/19/06 1:28 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
> Matthew Grooms wrote:
>>
>> Why are you trying to leave id data blank in hybrid mode? Hybrid
>> authentication still happens after phase1 completes which means the
>> gateway still performs a peer ID check unless you have specifically
>> disabled this.
>>
>
> This is a half truth. The gateway will still perform and ID check unless
> you have specifically disabled this or don't have peers_identifier
> specified in the racoon.conf file. If your trying to go by the book,
> this wouldn't be disabled and you would specify a peer identifier for
> racoon to check at least for main mode. It adds a extra layer of
> security because the gateway will verify your identity which can't be
> pulled out of the clear text portion of the phase1 negotiation. For
> aggressive mode, the initiators identifier is in plain text so it
> doesn't buy you much.
>
So for hybrid, what would the correct local asn1dn be? I know what's in the
subject of the peer's cert, so I can guess what to use in the remote field.
peter
More information about the vpn-help
mailing list