From: Matthew Grooms <mgrooms@sh...> - 2006-09-16 02:42:02
I am trying to understand how asn1dn ids are verified in
ipsecdoi_checkid1 and I don't quite understand. I am running ipsec-tools
CVS and have my racoon.conf setup like so ...
certificate_type x509 "vpngw.crt" "vpngw.key";
ca_type x509 "ca.crt";
lifetime time 24 hours;
With my_identifier and peers_identifier set to and1dn with no string
value, its my understanding that racoon would pull a subject name from a
certificate. I can see how this works for the local id as the subject
can be pulled from vpngw.crt but where does the asn1dn come from for the
remote id comparison? When I connect, it always works even though I have
verify_identifier set to "on". When I added some debug code to
ipsecdoi_checkid1 to see where the match was happening, it matched in
the "if (id->id == 0)" clause. To me this means that even though I have
instructed racoon to verify the peers identity, the directive is ignored
because there is no local id value to compare it to.
Am I am missing something fundamental with respect to verifying asn1dn
identities. Is racoon always supposed to ignore a peers asn1dn id if
there is no string specified in the racoon.conf "peers_identifier" or is
this a bug?