From: <ma...@ne...> - 2004-10-23 11:56:16
|
Aidas Kasparas <a.k...@gm...> wrote: > You see, before introduction of xauth, authentications was symetrical > (if one side authenticates via certificates, then other do the same, if > parties authenticate via psk, then both do the same). Therefore, it was > sufficient to have just one member in iph1 structure (certtype) to > describe, what kind of certificate authentication is needed. Now, that > this simetry is gone, we have to think, should we split that certtype > into two - my_certtype and remote_certtype or is this not necessary, > because in xauth case value in one of these is invariant. But even in > that case, we have to assign certtype correct value when we find that > xauth schema will be used. > > So, please do an investigation what changes are necessary. WIth Xauth there wouldn't be any problem because the authentication is still symetrical. The problem is with hybrid auth. In hybrid auth, the road warrior does not authenticate at all at phase 1 time, and the VPN access concentrator does authenticate to the road warrior, using either RSA or DSS, so ther is always a certificate. The only information racoon needs on the roadwarrior is the peer's certificate type. For now only X509 is supported, we can either - allow the certificate type to be supplied without a certificate - detect the certificate type sent by the VPN access concentrator. The second solution being the best, because this remove all certification configuration from the roadwarrior. The information is available from the ISAKMP packet. I'll submit a new patch with that. -- Emmanuel Dreyfus Il y a 10 sortes de personnes dans le monde: ceux qui comprennent le binaire et ceux qui ne le comprennent pas. ma...@ne... |