The number of DN entries on the Dial Up VPN User on the NetScreen must one less than the number of entries on Certificate Manager on NetScreen Remote.

Example:

On Certificate Manager, assume the following fields are entered:

1. Name
2. Company
3. State
4. Country

On Dial Up VPN User on the NetScreen, the following should be specified:

1. CN
2. Organization
3. Country

This is fixed in ScreenOS 3.0.2 for the NetScreen-5XP, and ScreenOS 3.0.3 for all other platforms.

Here is the problem or goal:

• Using Distinguish Name for ID
• IPSEC phase 1 failed
• debug ike detail output:peer identity.
  get_user_id_by_dn:peer dn has 6 elements.
  get_user_id_by_dn:compare user id<0>.
  ct:aaa
  ct:security
  ct:BB
  ct:LS
  ct:VD
  ct:US
  ct:aaa@aa.com
  num elem<7>.
  : ret num elem<7>.
  getIkePeerByDialup:Cannot locate user id.
   
• Configure IPSEC phase 1 between NS Remote and Netscreen

Problem Environment:

• All VPN related configuration such as encryption algorithm, hash alrorithm, policy, address book are configured correctly.
• All certificates are loaded successfully and the certificate are not expired.

Applicable Products:

• NetScreen-5
• NetScreen-5XP
• NetScreen-10
• NetScreen-25
• NetScreen-50
• NetScreen-100
• NetScreen-204
• NetScreen-208
• NetScreen- 500
• NetScreen-1000

Applicable ScreenOS:

• 2.6.0
• 2.6.1
• 2.7.1
• 2.8.0
• 3.0.0
• 3.0.1
• 3.0.2
• 3.1.0