ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
BB
Contributor
BB
Posts: 28
Registered: ‎12-14-2007
0
Accepted Solution

Certificate based VPN with Cisco fails

Options

‎03-22-2010 07:48 AM 

Hi all,
Hi all, 
Policy based VPN with Certificates to a Cisco IOS 12.3 Advanced Security Phase 1 error occurs: Cert received has a different FQDN SubAltName than expected.The cisco router has no SubAltName option in Certificate request so the certificate what I can install on that cannot contain this field. Please let me know how can I configure the SSG to ignore these fields. (the missing fields are IP and DNS name (both in SubAltName field)I've found the following article: http://kb.juniper.net/KB5833 This states that SSG only checks these parameters when FQDN peer ID is used. I use IP address not FQDN.I attach the debug ike output. If I cange the authentication to presahred key the VPN works. 


Thanx in advance, Balázs
Attachment debug-ike-all.txt ‏3 KB
Message 1 of 2 (33,116 Views)
 
Reply
BB
Contributor
BB
Posts: 28
Registered: ‎12-14-2007
0

Re: Certificate based VPN with Cisco fails

Options

‎03-25-2010 01:08 AM

I found the solution at Cisco-certificate site.

 

1. Have to makle the Cert request on Cisco

2. Modify the Windows CA settings described here: http://support.microsoft.com/kb/931351

3. When adding the cert request to the CA add the two san attributes to the reqest.

4. Issue the cert, and auth will be fine :smileyhappy:

Message 2 of 2 (33,084 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.