[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd: unknown id type user_fqdn
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: isakmpd: unknown id type user_fqdn
- From: Hakan Olsson <ho_(_at_)_crt_(_dot_)_se>
- Date: Mon, 10 Jun 2002 18:34:28 +0200 (MET DST)
On Mon, 10 Jun 2002, Hanspeter Roth wrote:
> > First, during what is called IKE phase 1 (such as MainMode) for
> > authentication. This is shared keys, certificates etc. Here the ID points
> > to, say, a FQDN or USER_FQDN string that should match a certificate we
> > want to use.
> Is that to say USER_FQDN doesn't work with preshared secrets?
If you use preshared keys to authenticate, this is the "Authentication="
tag under the relevant Phase 1 section. In the same section, you can use
an "ID=" tag instead, to point out the Phase 1 ID to use. Here USER_FQDN
or FQDN normally points out a certificate, even though other types are ok
You select which authentication type to use by selecting, say, 3DES-SHA
(for preshared) or 3DES-SHA-RSA_SIG (for X509/certificate auth). If you
use the former, the ID= tag is not used. With the latter, Authentication=
> > Furthermore, the USER_FQDN is ever worse, as it refers to a *user* at a
> > FQDN, something that has no place when talking about Phase2 / network-
> > level configuration.
> Ok. But for Phase 1? At least USER_FQDN works with racoon and pluto.
Yes, in Phase 1 FQDN/USER_FQDN are quite ok to use, see above. There are
numerous examples of this to be found.
Håkan Olsson <ho_(_at_)_crt_(_dot_)_se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB