[VPN] Netscreen SCEP and iPlanet CA

David Klein dklein at netscreen.com
Tue Feb 18 19:20:20 EST 2003 

Juri,
 
I haven't had a chance to try the iPlanet SCEP interface.  It should work.
Regarding this ...
 

> From my point of view the problem is that iPlanet CA doesn't add the FQDN
as SubjectAlternativeName to certificate, 
but Netscreen is required this to establish tunnel. 

 
The Netscreen will support DN if your cert doesn't have a SubjectAltName
field.  You should try to find the right knobs on the iPlanet CA to make the
CA generate this field.  However, if worse comes to worse and you can't get
it to work then use DN's on the Netscreen.
 
To do this use the keyword [DistinguishedName] as the local IKE id in the
"set ike gateway ..." definition.  For the remote IKE id, you can use the
asn1-dn keyword in the "set ike gateway ..." definition.   Here's some more
detail on Netscreens:
 
There are 4 IKE_id types that we support for phase 1 identification of a
peer gateway or VPN client:
1) IP address (e.g., 64.81.225.173)
2) FQDN (e.g., netscreen.dklein.com)
3) User-FQDN or email address (e.g., dklein at netscreen.com)
4) DN or Distinguished Name (e.g., CN=klein,OU=SE,O=Netscreen,C=US,...)
 
When doing pre-shared keys, we can only do 1, 2, or 3.
When doing X.509 certs, then we can do all of them.
 
If doing X.509 certs and doing identification based on 1, 2, or 3 then you
have to have a V3 extension in the certificate called "Subject Alternative
Name" field. This can contain one or more of the first three IKE types and
values. These values get set by doing the following:
To have the cert request include domain name of name.domain.com:
 
  set host name
  set domain domain.com
 
For IP address and email address:
  set pki x509 dn email "ns204 at dklein.com"
  set pki x509 dn ip "10.9.8.204"
 
If doing X.509 certs and you don't have the "Subject Alternative Name" field
(commonly done when some CA issues you something like an SSL server cert for
the Netscreen) then you have to do DN IKE identification.  To do this on a
Netscreen, use the keyword [DistinguishedName] (with the square brackets) to
tell the NetScreen to use the DN from its own certficiate to identify itself
to the peer. 
 
To tell the NetScreen to expect a DN from the peer, use the asn1-dn id type:
  set ike gateway name dynamic asn1-dn { container | wildcard } string ...
  set ike gateway name ip 3.3.3.3 id asn1-dn { container | wildcard } string
...
 
Example with static IP on peer:
 
  set ike gateway peer-gw ip 5.5.5.5 id asn1-dn wildcard
cn=gw-test,o=netscreen,c=us" main local-id[DistinguishedName]
outgoing-interface ethernet1 proposal rsa-g2-3des-sha
 
or with dynamic IP on peer:
 
  set ike gateway peer-gw dynamic asn1-dn wildcard
cn=gw-test,o=netscreen,c=us" aggr local-id [DistinguishedName]
outgoing-interface ethernet1 proposal rsa-g2-3des-sha
 
And select your local cert and CA cert:
  set ike gateway peer-gw cert my-cert <cert-id-num>
  set ike gateway peer-gw cert peer-cert-type x509-sig
  set ike gateway peer-gw cert peer-ca <ca-cert-id-num>
 
Make sure your clocks are accurate.
Also make sure your CRL is loaded or you have access to a valid CRL-DP. 
 
Dave Klein
Netscreen SE
 

-----Original Message-----
From: Juri.Reitsakas at Vorguvara.ee [mailto:Juri.Reitsakas at Vorguvara.ee] 
Sent: Monday, February 17, 2003 2:23 PM
To: vpn at lists.shmoo.com
Subject: [VPN] Netscreen SCEP and iPlanet CA



Hi, 

Does anybody was able to succesfully configure Netscreen to use CEP with
iPlanet CA? 
If yes, please share the information how to do it. 

>From my point of view the problem is that iPlanet CA doesn't add the FQDN as
SubjectAlternativeName to certificate, 
but Netscreen is required this to establish tunnel. 

Best Regards 

Juri

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030218/6c5b06dd/attachment.htm

More information about the VPN mailing list