Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

isakmpd.policy: how to parse the DN

0 views
Skip to first unread message

Andreas Schuldei

unread,
Dec 23, 2000, 11:40:13 AM12/23/00
to
I encode the IP address of the vpn-gateways in their DNs of their certificates
request.

As a peer I want to compare the certificate's DN (=the peer's IP) with the
remote_id_(what do I use here? ). I figure that would be quite save.

However I do not know how I can tell isakmpd that is should compare the DN
with remote_id_(what_so_ever?)

Please advise!

Angelos D. Keromytis

unread,
Dec 23, 2000, 11:06:50 PM12/23/00
to

In message <2000122317...@sigrid.schuldei.com>, Andreas Schuldei writes
:

>I encode the IP address of the vpn-gateways in their DNs of their certificates
>request.
>
>As a peer I want to compare the certificate's DN (=the peer's IP) with the
>remote_id_(what do I use here? ). I figure that would be quite save.

You compare the DN by putting it in the Licensees field (look at the
examples in the isakmpd.policy man page). However, I think you should put
the IP address in the SubjAltName of the gateway certificate; isakmpd
verifies the match between SubjAltName and the Phase 1 ID (which is also
the remote_id checked by policy)
-Angelos

Andreas Schuldei

unread,
Dec 25, 2000, 3:59:05 PM12/25/00
to
* Angelos D. Keromytis (ang...@adk.gr) [001224 05:11]:

> >I encode the IP address of the vpn-gateways in their DNs of their certificates
> >request.
> >As a peer I want to compare the certificate's DN (=the peer's IP) with the
> >remote_id_(what do I use here? ). I figure that would be quite save.

The idea behind this is to avoid the problems described in the ipsec-FAQ
(subtidle: almost secure is not secure). this way I avoid the nameserver
lookup. Is this in fact a secure way of identifying a peer using a
certificate? Or am I overlooking something?

The certificate thing gives me some headache if I think about it: Someone with
his IP encoded into his certificate connects to me. How do I know that his
certificate is issued by the same CA that issued mine? I as a peer have only a
certificate and my privat key and no means to identify foreigners. Or is there
some communication with the CA involved?

> You compare the DN by putting it in the Licensees field (look at the
> examples in the isakmpd.policy man page). However, I think you should put
> the IP address in the SubjAltName of the gateway certificate;

I searched for SubjAltName in the archiv and google (which pointed me back to
the archive). I am sure I read the phrase somewhere in the last week. I thought
it was in openssl.cnf. I could not find it. Where is it really?

> isakmpd
> verifies the match between SubjAltName and the Phase 1 ID (which is also
> the remote_id checked by policy)

Does it do so automatically? Or do I have to activate that somehow?

Angelos D. Keromytis

unread,
Dec 25, 2000, 11:32:19 PM12/25/00
to

In message <200012252...@sigrid.schuldei.com>, Andreas Schuldei writes:
>
>The idea behind this is to avoid the problems described in the ipsec-FAQ
>(subtidle: almost secure is not secure). this way I avoid the nameserver
>lookup. Is this in fact a secure way of identifying a peer using a
>certificate? Or am I overlooking something?

Yes.

>The certificate thing gives me some headache if I think about it: Someone with
>his IP encoded into his certificate connects to me. How do I know that his
>certificate is issued by the same CA that issued mine? I as a peer have only a
>certificate and my privat key and no means to identify foreigners. Or is there
>some communication with the CA involved?

Actually, you must have the CA's certificate if the authentication is to work.
Multiple CAs and certs/CA are supported (they all go in /etc/isakmpd/ca/)

>I searched for SubjAltName in the archiv and google (which pointed me back to
>the archive). I am sure I read the phrase somewhere in the last week. I though
>t
>it was in openssl.cnf. I could not find it. Where is it really?

Actually, it's the field the certpatch utility creates on the certificate.

>> isakmpd
>> verifies the match between SubjAltName and the Phase 1 ID (which is also
>> the remote_id checked by policy)
>
>Does it do so automatically? Or do I have to activate that somehow?

The match between SubjAltName and Phase 1 ID is done automatically (nothing
to turn on/off); then, all you have to do is include a statement like
remote_id == "server.foobar.com"
in your policy.
-Angelos

Andreas Schuldei

unread,
Dec 25, 2000, 11:39:51 PM12/25/00
to
* Angelos D. Keromytis (ang...@keromytis.com) [001226 05:37]:

> >The idea behind this is to avoid the problems described in the ipsec-FAQ
> >(subtidle: almost secure is not secure). this way I avoid the nameserver
> >lookup. Is this in fact a secure way of identifying a peer using a
> >certificate? Or am I overlooking something?
>
> Yes.

Does that mean that I am ovrelooking something security wise? what?

Angelos D. Keromytis

unread,
Dec 25, 2000, 11:37:16 PM12/25/00
to

Sorry; I meant that's a good way of doing things.
-Angelos

0 new messages