Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Certificate based VPN with Cisco fails

    Posted 03-22-2010 07:48
      |   view attached
    Hi all,
    Hi all,
    Policy based VPN with Certificates to a Cisco IOS 12.3 Advanced Security Phase 1 error occurs: Cert received has a different FQDN SubAltName than expected.The cisco router has no SubAltName option in Certificate request so the certificate what I can install on that cannot contain this field. Please let me know how can I configure the SSG to ignore these fields. (the missing fields are IP and DNS name (both in SubAltName field)I've found the following article: http://kb.juniper.net/KB5833 This states that SSG only checks these parameters when FQDN peer ID is used. I use IP address not FQDN.I attach the debug ike output. If I cange the authentication to presahred key the VPN works.


    Thanx in advance, Balázs

    Attachment(s)

    txt
    debug-ike-all.txt   2 KB 1 version


  • 2.  RE: Certificate based VPN with Cisco fails
    Best Answer

    Posted 03-25-2010 01:09

    I found the solution at Cisco-certificate site.

     

    1. Have to makle the Cert request on Cisco

    2. Modify the Windows CA settings described here: http://support.microsoft.com/kb/931351

    3. When adding the cert request to the CA add the two san attributes to the reqest.

    4. Issue the cert, and auth will be fine 🙂