Description
This article describes how to resolve issues when trying to established ipsec tunnel with some unknown entry presents on the certificate.
#config user peer
edit "withcerti_peer"
set ca "CA_Cert_2"
set cn "C = FI, O = tech, OU = Q.41, CN = Arifnoor Chowdhury, UID = c725ac6d-6c29-454b-a9c2-5c161756265f:2087"
next
end
Solution
In the above scenario the tunnel will not established if you either do the following
“set cn "C = FI, O = tech, OU = Q.41, CN = Arifnoor Chowdhury, UID = c725ac6d-6c29-454b-a9c2-5c161756265f:2087" ”:
Following are the solutions:
#config user peer
edit "withcerti_peer"
set ca "CA_Cert_2"
unset cn
next
end
The configuration if we noticed which contains a DN attribute 'UID' which, after the changes of design will cause peer-id matching to fail because UID is not a supported attribute. Peer-id comparison was done by string matching instead of attribute matching and was deemed insecure.
For now the Supported attributes: C, S/P/ST, L, O, OU(max 4), CN, EmailAddress".
If you need CN entry you can established the tunnel with the following also:
#config user peer
edit "withcerti_peer"
set ca "CA_Cert_2"
set cn “Arifnoor Chowdhury”
next
end
