topic Re: IKE Certificate Authentication Peer ID in General Topics

IKE Certificate Authentication Peer ID

Chris.Billett — Thu, 10 Dec 2020 15:23:11 GMT

Hi,

Im trying to setup a VPN connection using certificate based authentication. When Phase 1 tries to establish I'm getting the following error

Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName.

I have added the peer's IP address to the IP(SAN) of the certificate and also tried using 'Permit peer identification and certificate payload identification mismatch' with no luck.

Any further suggestions on how to bring up phase 1?

Thanks

Re: IKE Certificate Authentication Peer ID

Retired Member — Thu, 10 Dec 2020 22:04:35 GMT

The error seems to suggest that either A. The other side is sending a local identification that does not match any SAN that is present on the certificate or B. Does not contain a SAN attribute on the certificate at all.

Are both sides under your control, where you're able to generate a new certificate if need be or inspect the current attributes of the certificate it's using?

Also make sure the Certificate Profile on the VPN contains the Intermediate, Root or Self Signed certificate and is marked as a Trusted certificate in the local device store.

Re: IKE Certificate Authentication Peer ID

Chris.Billett — Fri, 11 Dec 2020 08:39:15 GMT

Hi,

I can generate a new certificate if required.

The issue is that it's looking for the peer id which is an IP address in the SAN. I have added this into the cert and verified its there in the SAN but it still doesn't not get picked up during the phase 1 verification - would it be work adding another san entry like hostname and adding the IP address?

Re: IKE Certificate Authentication Peer ID

Retired Member — Fri, 11 Dec 2020 09:24:33 GMT

If you can generate a new certificate it would defiantly be worth generating a new one containing additional SAN entries.

I'd suggest tagging on the SANs Hostname, FQDN and IP address and check if you can get the firewall to recognize these attributes as the Peer Identification.

Re: IKE Certificate Authentication Peer ID

Chris.Billett — Fri, 11 Dec 2020 14:35:19 GMT

New certificate didn't do the trick. PA Support also don't seem to know either 😞

Re: IKE Certificate Authentication Peer ID

Retired Member — Fri, 11 Dec 2020 15:21:15 GMT

Are you sure you've imported the peers certificate, or signer of the certificate, in the local firewall and added a certificate profile containing this certificate which applies on the VPN?

The Peer Identification, local and peer, needs to match on both sides (Reverse local/Remote) and the Cert Profile, if containing the cert marked as trusted, should set up the Phase 1 connection.

Re: IKE Certificate Authentication Peer ID

Chris.Billett — Fri, 11 Dec 2020 15:30:02 GMT

Ok to go through the motions..

I generated a CSR using my public IP as the CN

I sent my CSR to the peer who signed it and sent back their Root, Int CA's and my signed cert
I imported all 3

In the IKE setup I set the Cert to be the signed cert
I created a cert profile adding both CA's
I then set Local Identification to be my DN record of the Cert (as this populate this way)
I then set the Peer Identification to be their IP

If I change the IP to be something else it fails before the authentication saying the Peer ID they presented didnt match.

Re: IKE Certificate Authentication Peer ID

Retired Member — Fri, 11 Dec 2020 16:00:50 GMT

Gotcha, just to clarify did you also designate SAN attributes for your firewall cert and for the cert the other firewall is using?

Like:

The additional attributes are SAN items which seem related to the error where no additional attributes were found.

It would end up local something similar to the below screenshot if he other side has a certificate with Email Otherunit@local.local.

Lastly the intermediate and/or root need to be marked in the certificate store as trusted CA's

Re: IKE Certificate Authentication Peer ID

Chris.Billett — Fri, 11 Dec 2020 16:04:18 GMT

I tried setting the SAN for IP to be that of the remote peer.

Im in the process of waiting for a new cert to be signed where the SAN IP is set to the local peer ip as you show in your screenshots.

Re: IKE Certificate Authentication Peer ID

Chris.Billett — Fri, 11 Dec 2020 16:09:41 GMT

Sorry yes, I have also set these to trusted.

If i set anything other than the IP address in the Peer Identification field i get the following error

received ID_R (type ipaddr [xxx.xxx.xxx.xxx]) does not match peer ID

So if i set it back to the IP i then get the cert error

Re: IKE Certificate Authentication Peer ID

Retired Member — Fri, 11 Dec 2020 16:13:22 GMT

That would mean the Peer firewall is sending it's IP address as Local Identifier, however the question is if this is also defined on the certificate the Peer is using as that needs to match aswell.

So the Peers Certificate would need a SAN Attribute "IP Address" with it's IP.

Re: IKE Certificate Authentication Peer ID

Chris.Billett — Fri, 11 Dec 2020 16:47:06 GMT

I've posed the question to my peer.

I added this IP as a SAN entry in my CSR but as far as their side im not sure.

Re: IKE Certificate Authentication Peer ID

Retired Member — Sat, 12 Dec 2020 14:25:30 GMT

Taking the original error and picking it piece by piece.

Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName.

It would seem that their side does have their Local ID Field and IP Field are filled with an IP address however the certificate they use doesn't seem to have a SAN at all, or a matching IP address SAN on the certificate.

Looking at the last bit my guestimate would be the second case.

Next step would be to verify if this is actually the case by either having them check the config or make a PCAP of the initial exchange to capture the certificate info (Depending on the Ike version and mode of connection (Main/aggressive)).