From: Andreas Nobel <Andreas.Nobel@FernUni-Hagen.de> - 2005-12-14 13:59:31
i have have read browsed trough the mailing devel-list and
found your posting from August, 2nd, 2005.
I wonder, if there this usefull feature is implemented
somewhere in racoons CVS, yet?
It would be much more of use, if we can explicty compare
the CN given by the peers certificate if the username
entered via phase 1.5 trough additionally authentification
step required by Xauth. So we can compare when AND have
the possibility the DO a extra check to improve SECURITY
when the xauth_rsa_server method is used.
Otherwise the user certificate that is used for phase1
have actually NOTHING to do with the user who is
authentificating trough Xauth. Isn't this curious? So I
you have a valid user certificate can can login with all
other valid (system-wide or RADIUS-based accounts).
Any thoughts on this still interesting feature that i
would simply calld Certificate DN --> CN Matching als
part for one valid Xauth username.
i'm currently looking on how get the information which
used establishing a specific tunnel. Using "old" ipsec
like freeswan i
had two possibilities: I could use ipsec auto --status or
i could take a
look at the logfiles.
Using racoon, option one is missing completly (to my
and option two isn't very useful too as the debug level
has to be
increased beyond any reason...
Is it possible to include this information on a lower
debug level, or
maybe even in setkey?
For those interested in the reason i'm asking:
Currently, we're using
ipsec and l2tp-Tunneling. At the moment, we're matching
certificate is matching the username supplied for ppp -
connection will be killed. I would like to keep this
functionalty, but i
would also like to use racoon in the near future :)
/* yes, it's bizarre. like many bizarre things, it's the
-- Comment in Vixie cron