Jorge Davila wrote:
Which is the reason for this sentence in the openca documentation?Certificates for VPN+ Gateways and Machine certificates should include the DNS name and IP address in the subject alternative name.
F-Secure VPN+ includes like all IPSec products a small IP firewall. If you use the VPN+ clients as road warriors for example then you normally only allow IPSec connects to your VPN gateway and the road warrior use your internal servers for all services.
The problem is that services are only available if the connection is already been established. If you start the VPN session then you have perhaps no DNS and this is the reason for the sentence. If you start the connection to your gateway then you must be able to verify the identity without DNS. If you forget to add the IP to the subject alternative name then you must allow external DNS via a bypass definition (and try to switch later to internal DNS) or you have simply a problem (e.g. static local DNS entries) ;)
Best regards Michael -- _______________________________________________________________ Michael Bell Humboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
