Created on 08-01-2019 01:33 AM Edited on 11-23-2021 08:15 AM By Anonymous
Description
This article describes how to resolve issues when trying to established ipsec tunnel with some unknown entry presents on the certificate.
#config user peer
edit "withcerti_peer"
set ca "CA_Cert_2"
set cn "C = FI, O = tech, OU = Q.41, CN = Arifnoor Chowdhury, UID = c725ac6d-6c29-454b-a9c2-5c161756265f:2087"
next
end
Solution
In the above scenario the tunnel will not established if you either do the following
“set cn "C = FI, O = tech, OU = Q.41, CN = Arifnoor Chowdhury, UID = c725ac6d-6c29-454b-a9c2-5c161756265f:2087" ”:
Following are the solutions:
#config user peer
edit "withcerti_peer"
set ca "CA_Cert_2"
unset cn
next
end
The configuration if we noticed which contains a DN attribute 'UID' which, after the changes of design will cause peer-id matching to fail because UID is not a supported attribute. Peer-id comparison was done by string matching instead of attribute matching and was deemed insecure.
For now the Supported attributes: C, S/P/ST, L, O, OU(max 4), CN, EmailAddress".
If you need CN entry you can established the tunnel with the following also:
#config user peer
edit "withcerti_peer"
set ca "CA_Cert_2"
set cn “Arifnoor Chowdhury”
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.