[Vpn-help] 1.1 RC1 Bug?
Matthew Grooms
mgrooms at shrew.net
Tue Sep 19 14:26:07 CDT 2006
Peter Eisch wrote:
>
> So for hybrid, what would the correct local asn1dn be? I know what's in the
> subject of the peer's cert, so I can guess what to use in the remote field.
>
In hybrid mode, there is no correct local asn1dn any more than there is
a correct fqdn or ufqdn. It needs to match what the server has
configured for the peer so that it can be validated.
With mutual RSA authentication, the asn1dn id offered has to match the
cert subject that is offered later during negotiation. Thats why there
is an option to pull it directly from the local copy of the cert so you
don't have to enter it manually. You could enter it manually to override
the value if you wanted to, but its probably not a good idea. Its the
same as having an option to pull the endpoint IP to use as an address
id. You could override it, but its probably not a good idea either.
These options are there for the day when someone tries to use the client
with some oddball vendor implementation. You know, the one that requires
the base64 encoded value of Kim Il Sung's favorite tea to be used as an
ID in conjunction with RSA authentication? Hey, it could happen ;)
If you are not interested in having the gateway validate the id, just
set the client to use its address for the local id value and configure
the racoon.conf "peer_identifier address;". In theory, that should work
fine as the id type will match but validation won't be performed because
you didn't specify an ID value to check.
If I were a better communicator, I would have already been able to
explain this adequately by now. Its never been my strong suit so you
will have to forgive me if I seem incoherent at times.
I swear, it all makes sense in my head :)
More information about the vpn-help
mailing list