Re: [Openca-Users] VPN+ Gateways

Tue, 28 Jun 2005 07:18:00 -0700 

Thank you Michael. Your answer is very useful for me.

El mar, 28-06-2005 a las 15:57 +0200, Michael Bell escribió:
> Jorge Davila wrote:
> 
> > Which is the reason for this sentence in the openca documentation? 
> > 
> > Certificates for VPN+ Gateways and Machine certificates should include
> > the DNS name and IP address in the subject alternative name.
> 
> F-Secure VPN+ includes like all IPSec products a small IP firewall. If 
> you use the VPN+ clients as road warriors for example then you normally 
> only allow IPSec connects to your VPN gateway and the road warrior use 
> your internal servers for all services.
> 
> The problem is that services are only available if the connection is 
> already been established. If you start the VPN session then you have 
> perhaps no DNS and this is the reason for the sentence. If you start the 
> connection to your gateway then you must be able to verify the identity 
> without DNS. If you forget to add the IP to the subject alternative name 
> then you must allow external DNS via a bypass definition (and try to 
> switch later to internal DNS) or you have simply a problem (e.g. static 
> local DNS entries) ;)
> 
> Best regards
> 
> Michael



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to