<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1141" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff
size=2>Juri,</FONT></SPAN></DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff size=2>I
haven't had a chance to try the iPlanet SCEP interface. It should
work. Regarding this ...</FONT></SPAN></DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><SPAN class=536101200-19022003><FONT face=Arial size=2>> From my point
of view the problem is that iPlanet CA doesn't add the FQDN as
SubjectAlternativeName to certificate,<FONT face="Times New Roman" size=3>
<BR></FONT><FONT face=sans-serif size=2>but Netscreen is required this to
establish tunnel.</FONT><FONT face="Times New Roman" size=3>
</FONT></FONT></SPAN></DIV></BLOCKQUOTE>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff size=2>The
Netscreen will support DN if your cert doesn't have a SubjectAltName
field. You should try to find the right knobs on the iPlanet CA to make
the CA generate this field. However, if worse comes to worse and you can't
get it to work then use DN's on the Netscreen.</FONT></SPAN></DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff size=2>To do
this use the keyword [DistinguishedName] as the local IKE id in the "set
ike gateway ..." definition. For the remote IKE id, you can use the
asn1-dn keyword in the "set ike gateway ..." definition. Here's some
more detail on Netscreens:</FONT></SPAN></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=536101200-19022003></SPAN></FONT></FONT><FONT color=#0000ff></FONT><SPAN
class=536101200-19022003><FONT face=Arial color=#0000ff
size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>There are 4 IKE_id types that we
support for phase 1 identification of a peer gateway or VPN client:</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2>1) IP address (e.g.,
64.81.225.173)</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2>2) FQDN (e.g.,
netscreen.dklein.com)</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2>3) User-FQDN or email address (e.g.,
dklein@netscreen.com)</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2>4) DN or Distinguished Name (e.g.,
CN=klein,OU=SE,O=Netscreen,C=US,...)</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>When doing pre-shared keys, we can
only do 1, 2, or 3.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2>When doing X.509 certs, then we can
do all of them.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>If doing X.509 certs and doing
identification based on 1, 2, or 3 then you have to have a V3 extension in the
certificate called "Subject Alternative Name" field. This can contain one or
more of the first three IKE types and values. These values get set by doing the
following:</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2>To have the cert request include
domain name of name.domain.com:</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set host name</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set domain
domain.com</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>For IP address and email
address:</FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set pki x509 dn email
"ns204@dklein.com"</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set pki x509 dn ip
"10.9.8.204"</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2>If doing X.509 certs and
you don't have the "Subject Alternative Name" field (commonly done when some CA
issues you something like an SSL server cert for the Netscreen) then you have to
do DN IKE identification. <SPAN class=536101200-19022003>
</SPAN></FONT></FONT></FONT><FONT face=Arial color=#0000ff size=2>To do this on
a Netscreen, use the keyword [DistinguishedName] (with the square brackets) to
tell the NetScreen to use the DN from its own certficiate to identify itself to
the peer. </FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>To tell the NetScreen to expect a DN
from the peer, use the asn1-dn id type:</FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set ike gateway name dynamic asn1-dn {
container | wildcard } string ...</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set ike gateway name ip 3.3.3.3 id
asn1-dn { container | wildcard } string ...</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>Example with static IP on
peer:</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set ike gateway peer-gw ip 5.5.5.5 id
asn1-dn wildcard cn=gw-test,o=netscreen,c=us" main local-id[DistinguishedName]
outgoing-interface ethernet1 proposal rsa-g2-3des-sha</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>or with dynamic IP on
peer:</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set ike gateway peer-gw dynamic asn1-dn
wildcard cn=gw-test,o=netscreen,c=us" aggr local-id [DistinguishedName]
outgoing-interface ethernet1 proposal rsa-g2-3des-sha</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>And select your local cert and CA
cert:</FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set ike gateway peer-gw cert my-cert
<cert-id-num></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set ike gateway peer-gw cert
peer-cert-type x509-sig</FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=536101200-19022003> </SPAN>set ike gateway peer-gw cert peer-ca
<ca-cert-id-num></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>Make sure your clocks are
accurate.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2>Also make sure your CRL is loaded or
you have access to a valid CRL-DP. </FONT></DIV>
<DIV></SPAN><FONT face=Arial><FONT size=2><SPAN class=536101200-19022003><FONT
face=Arial color=#0000ff size=2></FONT></SPAN></FONT></FONT> </DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff size=2>Dave
Klein</FONT></SPAN></DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff
size=2>Netscreen SE</FONT></SPAN></DIV>
<DIV><SPAN class=536101200-19022003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
Juri.Reitsakas@Vorguvara.ee [mailto:Juri.Reitsakas@Vorguvara.ee]
<BR><B>Sent:</B> Monday, February 17, 2003 2:23 PM<BR><B>To:</B>
vpn@lists.shmoo.com<BR><B>Subject:</B> [VPN] Netscreen SCEP and iPlanet
CA<BR><BR></FONT></DIV><BR><FONT face=sans-serif size=2>Hi,</FONT>
<BR><BR><FONT face=sans-serif size=2>Does anybody was able to succesfully
configure Netscreen to use CEP with iPlanet CA?</FONT> <BR><FONT
face=sans-serif size=2>If yes, please share the information how to do
it.</FONT> <BR><BR><FONT face=sans-serif size=2>From my point of view the
problem is that iPlanet CA doesn't add the FQDN as SubjectAlternativeName to
certificate,</FONT> <BR><FONT face=sans-serif size=2>but Netscreen is required
this to establish tunnel.</FONT> <BR><BR><FONT face=sans-serif size=2>Best
Regards</FONT> <BR><BR><FONT face=sans-serif
size=2>Juri</FONT></BLOCKQUOTE></BODY></HTML>