[VPN] Netscreen SCEP and iPlanet CA
David Klein
dklein at netscreen.com
Tue Feb 18 19:20:20 EST 2003
Juri,
I haven't had a chance to try the iPlanet SCEP interface. It should work.
Regarding this ...
> From my point of view the problem is that iPlanet CA doesn't add the FQDN
as SubjectAlternativeName to certificate,
but Netscreen is required this to establish tunnel.
The Netscreen will support DN if your cert doesn't have a SubjectAltName
field. You should try to find the right knobs on the iPlanet CA to make the
CA generate this field. However, if worse comes to worse and you can't get
it to work then use DN's on the Netscreen.
To do this use the keyword [DistinguishedName] as the local IKE id in the
"set ike gateway ..." definition. For the remote IKE id, you can use the
asn1-dn keyword in the "set ike gateway ..." definition. Here's some more
detail on Netscreens:
There are 4 IKE_id types that we support for phase 1 identification of a
peer gateway or VPN client:
1) IP address (e.g., 64.81.225.173)
2) FQDN (e.g., netscreen.dklein.com)
3) User-FQDN or email address (e.g., dklein at netscreen.com)
4) DN or Distinguished Name (e.g., CN=klein,OU=SE,O=Netscreen,C=US,...)
When doing pre-shared keys, we can only do 1, 2, or 3.
When doing X.509 certs, then we can do all of them.
If doing X.509 certs and doing identification based on 1, 2, or 3 then you
have to have a V3 extension in the certificate called "Subject Alternative
Name" field. This can contain one or more of the first three IKE types and
values. These values get set by doing the following:
To have the cert request include domain name of name.domain.com:
set host name
set domain domain.com
For IP address and email address:
set pki x509 dn email "ns204 at dklein.com"
set pki x509 dn ip "10.9.8.204"
If doing X.509 certs and you don't have the "Subject Alternative Name" field
(commonly done when some CA issues you something like an SSL server cert for
the Netscreen) then you have to do DN IKE identification. To do this on a
Netscreen, use the keyword [DistinguishedName] (with the square brackets) to
tell the NetScreen to use the DN from its own certficiate to identify itself
to the peer.
To tell the NetScreen to expect a DN from the peer, use the asn1-dn id type:
set ike gateway name dynamic asn1-dn { container | wildcard } string ...
set ike gateway name ip 3.3.3.3 id asn1-dn { container | wildcard } string
...
Example with static IP on peer:
set ike gateway peer-gw ip 5.5.5.5 id asn1-dn wildcard
cn=gw-test,o=netscreen,c=us" main local-id[DistinguishedName]
outgoing-interface ethernet1 proposal rsa-g2-3des-sha
or with dynamic IP on peer:
set ike gateway peer-gw dynamic asn1-dn wildcard
cn=gw-test,o=netscreen,c=us" aggr local-id [DistinguishedName]
outgoing-interface ethernet1 proposal rsa-g2-3des-sha
And select your local cert and CA cert:
set ike gateway peer-gw cert my-cert <cert-id-num>
set ike gateway peer-gw cert peer-cert-type x509-sig
set ike gateway peer-gw cert peer-ca <ca-cert-id-num>
Make sure your clocks are accurate.
Also make sure your CRL is loaded or you have access to a valid CRL-DP.
Dave Klein
Netscreen SE
-----Original Message-----
From: Juri.Reitsakas at Vorguvara.ee [mailto:Juri.Reitsakas at Vorguvara.ee]
Sent: Monday, February 17, 2003 2:23 PM
To: vpn at lists.shmoo.com
Subject: [VPN] Netscreen SCEP and iPlanet CA
Hi,
Does anybody was able to succesfully configure Netscreen to use CEP with
iPlanet CA?
If yes, please share the information how to do it.
>From my point of view the problem is that iPlanet CA doesn't add the FQDN as
SubjectAlternativeName to certificate,
but Netscreen is required this to establish tunnel.
Best Regards
Juri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030218/6c5b06dd/attachment.htm
More information about the VPN
mailing list