[Vpn-help] 1.1 RC1 Bug?

Peter Eisch peter at boku.net
Tue Sep 19 16:25:06 CDT 2006 

On 9/19/06 2:26 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:

> Peter Eisch wrote:
>> 
>> So for hybrid, what would the correct local asn1dn be?  I know what's in the
>> subject of the peer's cert, so I can guess what to use in the remote field.
>> 
> 
> In hybrid mode, there is no correct local asn1dn any more than there is
> a correct fqdn or ufqdn. It needs to match what the server has
> configured for the peer so that it can be validated.
> 

In HYBRID:

Suppose I have no peers_identifier line.  The client should be able to have
an empty "local" ASN1DN entry  or also be able to select any of the values,
right?  If the "remote" ASN1DN field is empty, the client doesn't auth the
server.

If the server is 'peers_identifier asn1dn' I don't see how anything can be
matched on a hybrid client.

What was the client offering during a hybrid session prior to 1.1b4?  That
worked for me.  It was the lack of auth in the RSASIG perturbations that I
thought I was reporting the problem earlier.
 

> With mutual RSA authentication, the asn1dn id offered has to match the
> cert subject that is offered later during negotiation. Thats why there
> is an option to pull it directly from the local copy of the cert so you
> don't have to enter it manually. You could enter it manually to override
> the value if you wanted to, but its probably not a good idea. Its the
> same as having an option to pull the endpoint IP to use as an address
> id. You could override it, but its probably not a good idea either.
> 

There are no issues with RSASIG or xauth+RSASIG, PSK or xauth+PSK.

> These options are there for the day when someone tries to use the client
> with some oddball vendor implementation. You know, the one that requires
> the base64 encoded value of Kim Il Sung's favorite tea to be used as an
> ID in conjunction with RSA authentication? Hey, it could happen ;)
> 
> If you are not interested in having the gateway validate the id, just
> set the client to use its address for the local id value and configure
> the racoon.conf "peer_identifier address;". In theory, that should work
> fine as the id type will match but validation won't be performed because
> you didn't specify an ID value to check.
> 

If I'm going to use anything in peers_identifier I want it to be asn1dn in
order to secure the important sessions.  I don't understand how any text
entered in the client's field can make any sense.

> If I were a better communicator, I would have already been able to
> explain this adequately by now. Its never been my strong suit so you
> will have to forgive me if I seem incoherent at times.
> 
> I swear, it all makes sense in my head :)
> 

I'm going to have to pick up some reading fodder I guess.

Peter

More information about the vpn-help mailing list