Last Modified: Oct 16, 2019
See more info
Known Affected Versions:
13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 13.1.1, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 13.1.3, 22.214.171.124, 14.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 14.1.2, 126.96.36.199
Opened: Apr 17, 2018
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.
-- Using certificate based authentication in IPsec IKEv2. -- Configuring an ike-peer with peers-id-type as asn1dn.
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.