[Vpn-help] Hopefully the final 1.1 RC release ...

[Peter Eisch]

On 9/27/06 11:57 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:

> ...  The only behavior that the
> check box modifies is that the servers asn1dn, offered as an identity,
> isn't compared with a client configured static value. I belive this is
> commonly referred to as authorization in addition to authentication.
> 

The server's identity must be verified as being signed by the provided CA
cert.  If the check box is checked, does this verification happen?

> Being able to compare a peer ID ( asn1dn or otherwise ) with a static
> value exists in every IPSEC implementation that I am aware of. If not
> the ID, what property distinguishes your VPN gateway cert from another
> cert issued by the same CA?
> 

It doesn't.  Maybe this is where I'm running off the track.  The point of
running a CA is to build a trust community.

Can you help me see an example of when one signed cert would need to be
distinguished from another signed cert on a VPN gateway?

> But I think this is all moot. I added a check box so that it can be
> disabled for asn1dn IDs. Problem solved right?

I'm looking to set up a pool of vpn servers (to give my frame of reference)
and I want to be able to have the clients hit any of the servers that each
have a cert signed by the same CA.  I could have all the servers use the
same identity -- and maybe that the "more right" way to approach it.

When I check that box, the server's cert is still checked against the CA
cert, right?

 <>
 if ($_ eq 'yes') {
    printf("excellent\r\n");
  } elsif ($_ eq 'no') {
    printf("this is a bad thing.  It needs to be.\r\n");
  } else {
    printf("I\'m still confused.\r\n");
  }
  exit;