Knowledge Search


×
 

Dial Up PKI VPN fails phase 1

  [KB5158] Show Article Properties


Summary:
Dial Up PKI VPN fails phase 1
Symptoms:
All VPN related configuration such as encryption algorithm, hash alrorithm, policy, address book are configured correctly.
All certificates are loaded successfully and the certificate are not expired.
Using Distinguish Name for ID
IPSEC phase 1 failed
debug ike detail output:
peer identity<CN=aaa,OU=security,O=BB,L=LS,ST=VD,C=US,Email=aaa@aa.com>.
get_user_id_by_dn:peer dn has 6 elements.
get_user_id_by_dn:compare user id<0>.
ct:aaa
ct:security
ct:BB
ct:LS
ct:VD
ct:US
ct:aaa@aa.com
num elem<7>.
: ret num elem<7>.
getIkePeerByDialup:Cannot locate user id.
 

Solution:

The number of DN entries on the Dial Up VPN User on the NetScreen must one less than the number of entries on Certificate Manager on NetScreen Remote.

Example:

On Certificate Manager, assume the following fields are entered:

  1. Name
  2. Company
  3. State
  4. Country

On Dial Up VPN User on the NetScreen, the following should be specified:

  1. CN
  2. Organization
  3. Country

This is fixed in ScreenOS 3.0.2 for the NetScreen-5XP, and ScreenOS 3.0.3 for all other platforms.

Here is the problem or goal:

  • Using Distinguish Name for ID
  • IPSEC phase 1 failed
  • debug ike detail output:peer identity
     
  • Configure IPSEC phase 1 between NS Remote and Netscreen

Problem Environment:

  • All VPN related configuration such as encryption algorithm, hash alrorithm, policy, address book are configured correctly.
  • All certificates are loaded successfully and the certificate are not expired.

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000

Applicable ScreenOS:

  • 2.6.0
  • 2.6.1
  • 2.7.1
  • 2.8.0
  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.1.0


Related Links: