[Vpn-help] 1.1 RC1 Bug?

Peter Eisch peter at boku.net
Thu Sep 21 21:20:03 CDT 2006 

Perhaps I've been fooling myself since the server auth fixes went in.  I
kept using old profiles and those were my friend.  All worked nice and
pretty.

Tonight I whipped out a new computer and started from scratch.  I cannot get
my "standard" configs to connect at all.  It's consistently "peer auth
error" or "peer authentication error" and I'm dead.  My racoon config is the
same as it has been over the ages.  

I like the Hybrid config before in that it was reasonably simple and
straight-forward as a replacement for pptp where I can auth the user and
have reasonable crypto on the session.  Adding more checks, er security,
seems to increase the complexity higher than what it is with other clients.
With the cisco client I just need to load the p12, put in the hostname, user
and password and <poof> I'm in like flint.

peter

-----Original Message-----
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Peter Eisch
Sent: Thursday, September 21, 2006 8:59 PM
To: 'Matthew Grooms'
Cc: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] 1.1 RC1 Bug?

I guess I'm still struggling with the ASN1DN with Hybrid.  I think that it's
my issue though.  Tonight is the first I've been back to something other
than bootstrapping a win98 system, so I can't say that I've been effective
at testing.

peter

-----Original Message-----
From: Matthew Grooms [mailto:mgrooms at shrew.net] 
Sent: Tuesday, September 19, 2006 9:32 PM
To: Peter Eisch
Cc: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] 1.1 RC1 Bug?

Peter Eisch wrote:
> 
> In HYBRID:
> 
> Suppose I have no peers_identifier line.  The client should be able to
have
> an empty "local" ASN1DN entry  or also be able to select any of the
values,
> right?  If the "remote" ASN1DN field is empty, the client doesn't auth the
> server.
> 

I had never envisioned a situation where a client wouldn't offer an 
identity or where the client wouldn't validate the peers identity. The 
RFC states that the responder should use the peer id to determine local 
a policy for the peer. The local policy is implementation specific.

> If the server is 'peers_identifier asn1dn' I don't see how anything can be
> matched on a hybrid client.
> 

I assure you, it *can* be used. Try this ... Set the clients local 
identifier to asn1dn = "C=us/ST=texas/O=shrew.net" and racoons 
peers_identifier to asn1dn "C=us/ST=texas/O=shrew.net"; then attempt to 
connect. Then change the peers_identifier in racoon.conf to 
"C=us/ST=texas/O=gogojuice.org" and try to connect. You will find that 
the first works and the second doesn't because racoon will reject the id 
in the second case because it doesn't match.

> What was the client offering during a hybrid session prior to 1.1b4?  That
> worked for me.  It was the lack of auth in the RSASIG perturbations that I
> thought I was reporting the problem earlier.
>  

When it was broke, it was probably offering an asn1dn with a null length 
value. If you don't want to not enforce an asn1dn, then use a different 
id type. Racoon sends an address when you don't specify a my_identifier 
type or value. Why don't you just use that? I don't think I understand 
what the issue is or what you are trying to accomplish.

> 
> There are no issues with RSASIG or xauth+RSASIG, PSK or xauth+PSK.
> 

What exactly is the issue? Do you mean that the client allows you to 
leave the id data blank when another authentication mode is selected?

> 
> If I'm going to use anything in peers_identifier I want it to be asn1dn in
> order to secure the important sessions.  I don't understand how any text
> entered in the client's field can make any sense.
> 

Do you think that asn1dn is more secure in hybrid? If you are using a 
mutual authentication mode, it has slightly more meaning than just an 
ID. But if you are enforcing IDs with hybrid mode, the client value just 
has to match what the server thinks it should be. Thats all the sense it 
has to make. If you choose to not enforce the ids, use something generic 
( like and address ) from the client and then don't enforce it at the 
gateway.

> 
> I'm going to have to pick up some reading fodder I guess.
> 

Please help me understand the problem you are trying to solve. If there 
is a issue with the client, I want to get it fixed. If there is a 
specific example of it not working properly, please send me the 
configuration information so I can take a look at it.

Thanks,

-Matthew

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help

More information about the vpn-help mailing list