Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] Building a VPN between a Netscreen and an OpenBSD device using certificates

0

0

Article ID: KB7822 KB Last Updated: 13 Aug 2010Version: 3.0
Summary:

VPN Phase 1 negotiations fail on a Netscreen 5GT configured with OpenBSD

Phase 1: Cert received has a different FQDN SubAltName than expected.

id in cert is not matched to id payload. abort

certificate based VPN

Symptoms:

The Netscreen (in this case a 5GT) is behind a NAT device and the OpenBSD has a public address on its untrust side.
Even though the local ID, peer ID and the subject Alternative name are configured correctly, the Phase1 negotiations failed with the error:

Phase 1: Cert received has a different FQDN SubAltName than expected.
id in cert is not matched to id payload. abort.

This was reported in ScreenOS 5.0.0r10.1. The OpenBSD isakmpd logs indicate that no peer or client ID is received.

Note: The failed IKE attempts would eventually cause a slow memory leak.

Solution:
 Configuring a Preferred Local cert and Peer CA on the Netscreen resolved the issue.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search