Re: isakmpd: unknown id type user_fqdn

[Hakan Olsson <ho_(_at_)_crt_(_dot_)_se>]

On Mon, 10 Jun 2002, Hanspeter Roth wrote:
> > First, during what is called IKE phase 1 (such as MainMode) for
> > authentication.  This is shared keys, certificates etc. Here the ID points
> > to, say, a FQDN or USER_FQDN string that should match a certificate we
> > want to use.
>
> Is that to say USER_FQDN doesn't work with preshared secrets?

If you use preshared keys to authenticate, this is the "Authentication="
tag under the relevant Phase 1 section. In the same section, you can use
an "ID=" tag instead, to point out the Phase 1 ID to use.  Here USER_FQDN
or FQDN normally points out a certificate, even though other types are ok
too.

You select which authentication type to use by selecting, say, 3DES-SHA
(for preshared) or 3DES-SHA-RSA_SIG (for X509/certificate auth). If you
use the former, the ID= tag is not used. With the latter, Authentication=
is ignored.

>
> > Furthermore, the USER_FQDN is ever worse, as it refers to a *user* at a
> > FQDN, something that has no place when talking about Phase2 / network-
> > level configuration.
>
> Ok. But for Phase 1? At least USER_FQDN works with racoon and pluto.

Yes, in Phase 1 FQDN/USER_FQDN are quite ok to use, see above. There are
numerous examples of this to be found.

/H

--
Håkan Olsson <ho_(_at_)_crt_(_dot_)_se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB