[Vpn-help] 1.1 RC1 Bug?

[Matthew Grooms]

Peter Eisch wrote:
> 
> So for hybrid, what would the correct local asn1dn be?  I know what's in the
> subject of the peer's cert, so I can guess what to use in the remote field.
> 

In hybrid mode, there is no correct local asn1dn any more than there is 
a correct fqdn or ufqdn. It needs to match what the server has 
configured for the peer so that it can be validated.

With mutual RSA authentication, the asn1dn id offered has to match the 
cert subject that is offered later during negotiation. Thats why there 
is an option to pull it directly from the local copy of the cert so you 
don't have to enter it manually. You could enter it manually to override 
the value if you wanted to, but its probably not a good idea. Its the 
same as having an option to pull the endpoint IP to use as an address 
id. You could override it, but its probably not a good idea either.

These options are there for the day when someone tries to use the client 
with some oddball vendor implementation. You know, the one that requires 
the base64 encoded value of Kim Il Sung's favorite tea to be used as an 
ID in conjunction with RSA authentication? Hey, it could happen ;)

If you are not interested in having the gateway validate the id, just 
set the client to use its address for the local id value and configure 
the racoon.conf "peer_identifier address;". In theory, that should work 
fine as the id type will match but validation won't be performed because 
you didn't specify an ID value to check.

If I were a better communicator, I would have already been able to 
explain this adequately by now. Its never been my strong suit so you 
will have to forgive me if I seem incoherent at times.

I swear, it all makes sense in my head :)