Knowledge Search


×
 

[Archive] Building a VPN between a Netscreen and an OpenBSD device using certificates

  [KB7822] Show Article Properties


Summary:

VPN Phase 1 negotiations fail on a Netscreen 5GT configured with OpenBSD

Phase 1: Cert received has a different FQDN SubAltName than expected.

id in cert is not matched to id payload. abort

certificate based VPN

Symptoms:

The Netscreen (in this case a 5GT) is behind a NAT device and the OpenBSD has a public address on its untrust side.
Even though the local ID, peer ID and the subject Alternative name are configured correctly, the Phase1 negotiations failed with the error:

Phase 1: Cert received has a different FQDN SubAltName than expected.
id in cert is not matched to id payload. abort.

This was reported in ScreenOS 5.0.0r10.1. The OpenBSD isakmpd logs indicate that no peer or client ID is received.

Note: The failed IKE attempts would eventually cause a slow memory leak.

Solution:
 Configuring a Preferred Local cert and Peer CA on the Netscreen resolved the issue.
Related Links: