IKE Certificate Authentication Peer ID

Reply
BeardedTree
L2 Linker

That would mean the Peer firewall is sending it's IP address as Local Identifier, however the question is if this is also defined on the certificate the Peer is using as that needs to match aswell.

So the Peers Certificate would need a SAN Attribute "IP Address" with it's IP.

-- In case of emergency unplug cables--
Chris.Billett
L1 Bithead

I've posed the question to my peer.

 

I added this IP as a SAN entry in my CSR but as far as their side im not sure. 

BeardedTree
L2 Linker

Taking the original error and picking it piece by piece.

Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName.

It would seem that their side does have their Local ID Field and IP Field are filled with an IP address however the certificate they use doesn't seem to have a SAN at all, or a matching IP address SAN on the certificate.

Looking at the last bit my guestimate would be the second case.

 

Next step would be to verify if this is actually the case by either having them check the config or make a PCAP of the initial exchange to capture the certificate info (Depending on the Ike version and mode of connection (Main/aggressive)).

-- In case of emergency unplug cables--
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!