IKE Peer Validation error on certificate based tunnel

book

Article ID: 173683

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

During normal operation on a certificate-based IPsec tunnel on a CISCO device, an outage will occur, and the logs will read as follows:

 

Jan 13 6:12:24 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, IKE Identity DN does not match peer cert DN

Logs will read as follows:

Jan 13 6:12:24 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, IKE Identity DN does not match peer cert DN

Cause

During IKE tunnel establishment, the peer provides its identity: either an IP address, a Fully Qualified Domain Name (FQDN), or a Distinguished Name (DN). It also presents a certificate, which contains none, some, or all of these fields.

If IKE peer identity validation is enabled, the VPN Concentrator compares the peer’s identity to the respective field in the certificate to see if the information matches. If the information matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional level of security. IKE Peer Identity Validation can be useful for binding a peer to a particular IP address or domain name.

If the feature for IKE Peer Identity Validation is enabled, then the error described above will occur.

Environment

Certificate-based IPsec tunnel to Web Security Service (WSS), coming from a CISCO device.

Resolution

The solution is to disable IKE Peer Identity Validation. By default, it is enabled, but by adding the following lines to your running configuration, you may disable it.

From CLI, add peer-id-validate nocheck
Replace <Peer ID> with the WSS Peer IP 

tunnel-group <Peer ID> ipsec-attributes
peer-id-validate nocheck

This feature is not available in GUI, you must use CLI to add the setting.