Re: [Fed-Talk] OS X VPN requirements
Re: [Fed-Talk] OS X VPN requirements
- Subject: Re: [Fed-Talk] OS X VPN requirements
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 15 May 2007 14:46:03 -0500
David Hale wrote:
Tim, what are those
"gotchas"?
The first I mentioned already--packet fragmentation during L2TP
authentication (usually with IPSec NAT-T in use). Some networks will
drop these fragments and while the IPSec connection works, L2TP never
authenticates and the connection dies. Resolution is usually to get out
from behind the NAT device, but that's not always practical.
The second is a config detail; Cisco's L2TP support, while complete, is
annoying to configure correctly and IMHO is not well-documented. But
that's not something Apple can address.
The third is a IKE issue. The IKE standard doesn't (or didn't; I've not
looked recently) explicitly say how to handle certificate chains when
exchanging certs for certificate authenticated IKE. The Cisco
concentrator provides the chain in "end-entity-last" order, and the
Apple client expected *only* the end entity cert (i.e., no chain). The
workaround was to configure the Cisco SA to stop offering the chain
(i.e., only offer the end-entity cert), but the Apple client needs to be
a little smarter about this in general. I bugged this a while back, but
I'm not sure if it was ever fixed as I never had an opportunity to test.
The fourth is an IKE strictness issue. When negotiating
cert-authenticated IKE, the Apple client expects the IP address or DNS
name of the concentrator to be in the VPN concentrator's certificate.
This is not really common practice, and what with load balancing, broken
reverse DNS tables, server moves, etc. it's not a practical requirement.
AFAIK *only* Apple's VPN client rejects IKE when the cert either has
no IP/DNS name included or when a mismatch occurs.
That's all I remember off the top of my head.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden