For details on cookie usage on our site, read our Privacy Policy
IKE Certificate Authentication Peer ID
- LIVEcommunity
- Discussions
- General Topics
- IKE Certificate Authentication Peer ID
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
IKE Certificate Authentication Peer ID
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-10-2020 07:23 AM
Hi,
Im trying to setup a VPN connection using certificate based authentication. When Phase 1 tries to establish I'm getting the following error
Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName.
I have added the peer's IP address to the IP(SAN) of the certificate and also tried using 'Permit peer identification and certificate payload identification mismatch' with no luck.
Any further suggestions on how to bring up phase 1?
Thanks
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-10-2020 02:04 PM
The error seems to suggest that either A. The other side is sending a local identification that does not match any SAN that is present on the certificate or B. Does not contain a SAN attribute on the certificate at all.
Are both sides under your control, where you're able to generate a new certificate if need be or inspect the current attributes of the certificate it's using?
Also make sure the Certificate Profile on the VPN contains the Intermediate, Root or Self Signed certificate and is marked as a Trusted certificate in the local device store.
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-11-2020 12:39 AM
Hi,
I can generate a new certificate if required.
The issue is that it's looking for the peer id which is an IP address in the SAN. I have added this into the cert and verified its there in the SAN but it still doesn't not get picked up during the phase 1 verification - would it be work adding another san entry like hostname and adding the IP address?
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-11-2020 01:24 AM
If you can generate a new certificate it would defiantly be worth generating a new one containing additional SAN entries.
I'd suggest tagging on the SANs Hostname, FQDN and IP address and check if you can get the firewall to recognize these attributes as the Peer Identification.
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-11-2020 06:35 AM
New certificate didn't do the trick. PA Support also don't seem to know either 😞
- Azure SAML double windows to select account in GlobalProtect Discussions
- GP client Auth Certification in GlobalProtect Discussions
- Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB) in Next-Generation Firewall Discussions
- Using Radius Authentication Peap-MSCHAPv2 for PA Management Interface Error: 400 in General Topics
- Question about device registration authentication key re-certify in Panorama Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
