[Vpn-help] Hopefully the final 1.1 RC release ...
Peter Eisch
peter at boku.net
Thu Sep 28 01:07:28 CDT 2006
On 9/27/06 11:57 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
> ... The only behavior that the
> check box modifies is that the servers asn1dn, offered as an identity,
> isn't compared with a client configured static value. I belive this is
> commonly referred to as authorization in addition to authentication.
>
The server's identity must be verified as being signed by the provided CA
cert. If the check box is checked, does this verification happen?
> Being able to compare a peer ID ( asn1dn or otherwise ) with a static
> value exists in every IPSEC implementation that I am aware of. If not
> the ID, what property distinguishes your VPN gateway cert from another
> cert issued by the same CA?
>
It doesn't. Maybe this is where I'm running off the track. The point of
running a CA is to build a trust community.
Can you help me see an example of when one signed cert would need to be
distinguished from another signed cert on a VPN gateway?
> But I think this is all moot. I added a check box so that it can be
> disabled for asn1dn IDs. Problem solved right?
I'm looking to set up a pool of vpn servers (to give my frame of reference)
and I want to be able to have the clients hit any of the servers that each
have a cert signed by the same CA. I could have all the servers use the
same identity -- and maybe that the "more right" way to approach it.
When I check that box, the server's cert is still checked against the CA
cert, right?
<>
if ($_ eq 'yes') {
printf("excellent\r\n");
} elsif ($_ eq 'no') {
printf("this is a bad thing. It needs to be.\r\n");
} else {
printf("I\'m still confused.\r\n");
}
exit;
More information about the vpn-help
mailing list