Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Problems with PKI using IP address in Subject Alternative Name

0

0

Article ID: KB6941 KB Last Updated: 21 Jan 2017Version: 4.0
Summary:
Problems with PKI using IP address in Subject Alternative Name
Symptoms:
Certificate has Subject Alternative Name using IP address Problems with PKI using IP address in Subject Alternative Name Error processing CERT Cert received has a different IP address SubAltName than expected
Solution:
No FQDN in the subject alternative name

By default, when a certificate is used to authenticate an IKE session (as is the case for PKI VPN), the IKE ID used would be FQDN.  The IKE ID specified on the IKE Gateway on the NetScreen must be the same as the subject alternative name on the certificate.  Since the subject alternative name on the certificate, and the IKE ID on the NetScreen are not matching, you will get the debug message "Cert received has a different IP address SubAltName than expected.

For example, assume the certificate is using a subject alternative name of 1.1.1.2

Also assume the phase 1 gateway is defined as the following:

set ike gateway "P1" ip 1.1.1.1 Main outgoing-interface "ethernet1" proposal "rsa-g2-3des-sha"

The debug ike detail for this would look like the following:

##2003-11-04 15:39:27 system-debugging: IKE<1.1.1.2> ID received: type=ID_FQDN FQDN = ns5gt.netscreen.com port=500, protocol=17
##2003-11-04 15:39:27 system-debugging: ID processed. return 0. sa->p1_state = 2.
##2003-11-04 15:39:27 system-debugging: IKE<1.1.1.2> Process CERT:
##2003-11-04 15:39:27 system-debugging: IKE<1.1.1.2> Processing CERT payload. Cert Type = 4, Cert Length = 1023.
##2003-11-04 15:39:27 system-debugging: X509: sequence started.
##2003-11-04 15:39:27 system-debugging: X509: cinf sequence started.
##2003-11-04 15:39:27 system-debugging: X509: algorithm sequence started.
##2003-11-04 15:39:27 system-debugging: X509: algorithm sequence started.
##2003-11-04 15:39:27 system-debugging: X509: bitstring started.
##2003-11-04 15:39:27 system-debugging: X509: algorithm sequence started.
##2003-11-04 15:39:27 system-debugging: X509: bitstring started.
##2003-11-04 15:39:27 system-debugging: IKE<1.1.1.2> Cert_time(0) current(215883567)
##2003-11-04 15:39:27 system-debugging: IKE<1.1.1.2> recv cert with IPV4(1.1.1.2), FQDN(none), RFC822(none)
##2003-11-04 15:39:27 system-debugging: IKE<1.1.1.2>
Phase 1: Cert received has a different IP address SubAltName than expected.
##2003-11-04 15:39:27 system-debugging: Error processing CERT

Notice the IKE ID received is of the form of FQDN.  This is the default.  However, the certificate has a subject alternative name with an IP address.  An easy way to fix this is to change the IKE Phase 1 gateway configuration to match IPV4 address, instead of FQDN.  Configure the IKE Gateway as shown below:

set ike gateway "P1" ip 1.1.1.1 Main local-id "1.1.1.2" outgoing-interface "ethernet1" proposal "rsa-g2-3des-sha"


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search