[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd: unknown id type user_fqdn

To: misc@openbsd.org
Subject: Re: isakmpd: unknown id type user_fqdn
From: Hakan Olsson <ho@crt.se>
Date: Sun, 9 Jun 2002 23:30:25 +0200 (MET DST)

Ok, once more...

IDs are used in two contexts.

First, during what is called IKE phase 1 (such as MainMode) for
authentication.  This is shared keys, certificates etc. Here the ID points
to, say, a FQDN or USER_FQDN string that should match a certificate we
want to use.

Second, we have the IKE phase 2 (QuickMode) IDs, these contains the
addresses and networks that we have on either side of the VPN. Meaning,
Local-ID and Remote-ID should contain IPV{4,6}_ADDR{,_SUBNET} type IDs.

Why, this is explicitly stated in the manual page, isakmpd.conf(5). Check
the <IPsec-ID> section there...

One could argue that isakmpd should automatically translate a FQDN to an
address for a Phase 2 ID, but this is currently not done. I don't really
see a good reason why we should either.

Furthermore, the USER_FQDN is ever worse, as it refers to a *user* at a
FQDN, something that has no place when talking about Phase2 / network-
level configuration.

In short -- for Phase 2, use "IP-only" IDs, for Phase 1, use whatever you
want (just make sure the certificate matches the ID, read certpatch(8) for
more info).

It this is still unclear, I really recommend you to read RFCs 2401 and up.

/H

On Sun, 9 Jun 2002, Hanspeter Roth wrote:

>   On Jun 09 at 01:34, Hakan Olsson spoke:
>
> >
> > Ok, but note that Default-phase-1-ID is used for X509 certificate
> > authentication, while you are using shared-key auth (the Authentication=
> > field).
>
> So where do I put the USER_FQDN? (At least it is known in the
> manpage.)
>
> > Yes, you still need a local ID for the VPN. Think "what's the local IP/net
> > on this side of the tunnel".
> >
> > If you plan to go to a setup where the "Road-Warrior" uses a dynamic
> > address, your entire config file can probably look just like this
> > eventually:
>
> Sorry. I should have told you the Road-Warrior is OpenBsd with
> isakmpd. The Road-Warrior has no net behind it. It should run in a
> host-net environment. It's ID is expected to be a USER_FQDN. The ID
> of the IPsec-peer is a ip4 address.
> Is it possible with OpenBsd isakmpd to have an ID of type USER_FQDN?
>
> -Hanspeter
>
>

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Follow-Ups:
- Re: isakmpd: unknown id type user_fqdn
  - From: Martin Schmachtel <schmadde@syscall.de>
- Re: isakmpd: unknown id type user_fqdn
  - From: Hanspeter Roth <hanspeter_roth@hotmail.com>

References:
- Re: isakmpd: unknown id type user_fqdn
  - From: Hanspeter Roth <hanspeter_roth@hotmail.com>

Prev by Date: driver support of early WaveLAN (non-802.11) cards
Next by Date: Re: isakmpd: unknown id type user_fqdn
Prev by thread: Re: isakmpd: unknown id type user_fqdn
Next by thread: Re: isakmpd: unknown id type user_fqdn
Index(es):
- Date
- Thread