[Vpn-help] Hopefully the final 1.1 RC release ...

Peter Eisch peter at boku.net
Wed Sep 27 21:55:08 CDT 2006


Including my previous reply, below is what I've now tested.  My system is
XPsp2 current including the recent vgx.dll patch (I think that was the
name).  All my testing on the client used a p12 bundle.

My server is ipsec-tools current as of about 4PM CDT today.  The server is
behind NAT and the client is behind NAT.  The server's configuration will
match the client with 'anonymous' status where _no_ peers_identitity is
selected.

  Hybrid:  Set the local id to IP/Any; remote to ASN1DN and check to accept
the proposed cert
  Xauth+RSASIG:  Set the local id to ASN1DN; remote to ASN1DN and check to
accept the proposed cert.
  RSASIG:  Set the local id to ASN1DN; remote to ASN1DN and check to accept
the proposed cert.

I can't test the PSK perturbations as Brian is running his own tests now.  I
don't think I had an issue with them in RC3 and if the only changes were
around ASN1DN handling I would give them reasonable confidence of working.

To my hangup with the ASN1DN -- to piggy back on the previous email -- I do
think that it's important that the client validate the received cert from
the remote against the ca.crt.  I don't "like" the checkbox for blindly
accepting the cert and I don't think the subject of the cert should be a
config requirement on the client.  If the ca.crt was used to sign the
received cert -- that should be all the client needs to trust the server.

peter




More information about the vpn-help mailing list