VPN IPsec using certificate between Cisco & Nortel

fbarnier · ‎01-08-2007

We have configure a Lan-to-lan IPsec connexion using digital certificate between a VPN Cisco 3000 and a Nortel Contivity.

We have test with success the configuration on both side and we have try to replicate this in production environment.

But the tunnel is not active and we have the message in the Cisco log :

142 01/04/2007 11:11:17.270 SEV=5 IKE/79 RPT=4 144.36.239.xxx

Group [144.36.239.xxx]

Validation of certificate successful

(CN=MiDC12xxx, SN=74D7B50900000000xxxx)

144 01/04/2007 11:11:17.270 SEV=7 IKEDBG/0 RPT=179 144.36.239.xxx

Group [144.36.239.xxx]

peer ID type 9 received (DER_ASN1_DN)

145 01/04/2007 11:11:17.270 SEV=3 IKE/0 RPT=6 144.36.239.xxx

Group [144.36.239.xxx]

IKE Identity DN does not match peer cert DN

Could you explain to me the last sentence : which identity DN ? who is the peer as I'm log on the Cisco ?

We have reinstall identity certificate on both side and we have the same problem.

5220 · ‎01-09-2007

Hi,

Check the Group's "DN Field" setings, under Group-> IPSEC.

Or, check the "Configuration | Policy Management | Certificate Group Matching"

Please rate if this helped.

Regards,

Daniel

fbarnier · ‎01-09-2007

Hi,

thanks for your answer.

We have no rules or policy defined for Group Matching. I had already check this part before.

I will try different configuration for the DN field and see if it's working.