Solved: R81.20 IPsec VPN certificate repository.

RPawar

We have an upcoming migration in place from CP 5600 to CP - Maestro 140.

The Maestro fabric has 2 QF 9000 apliances in a single security group and this is a single site deployment.

This will be a direct migration where maestro SG will inherit the IPschema of live 5600 GW as is.

The management server is also same so object and rules will also be same along with VPN community.

Now my query is that as i have checked the live 5600 GW Object under IPsec VPN setting i can see that there is certificate repositary which is available for the live gateways it has one defaultcert and 2 differnt certs which is being used for a DAIP VPN.

When i check maestro repository i only see one defaultcert and not the other certificates.

Please note maestro is not yet added in the VPN communities and i am assuming that once i add maestro in the VPN community and the push policy on maestro then the certificates will be visible for maestro as well.

Kindly go through and assist with some documentation to solve this.

PhoneBoy

The whole point of DAIP is not to be tied to an IP.
Which means the SAN does not need to include the IP as it will necessarily change...because DAIP.

View solution in original post

PhoneBoy

Internal Certificate Authority certificates will be generated and applied automatically.
If an external CA is used (if you have more than one certificate there, you probably are), you will need to add a new certificate, which will generate a CSR that needs to be signed by the CA.

RPawar

Hello PhoneBoy,

Thanks for your inputs as you mentioned I have generated a new CSR and also got it signed from our CA (in this case it was our Microsoft Team), Everything was proper I uploaded the certificate and completed the CSR process however in the existing gateway the certificate has live WAN virtual IP in it under SAN and in the certificate that i generated for new GW doesn't have the IP in it. Just want to know if we migrate at this point will the DAIP VPN renegotiate automatically with new GW as the certificate has same DN details and Issuer details on the new certificate. Only thing that's missing is the Subject Alternative Name "IP Address : Live WAN-VIP"

I need clarification on this point as this is a critical migration, and your help is highly appreciated.

the_rock

Im sure Phoneboy will confirm, but to me, logically, does not sound that would work at all, if right IP is not listed.

Andy

RPawar

Hello the_rock,

This is exactly what I thaught but i do have one more query as to why did the signed certificate did not have the WAN IP in it ? As while generating the CSR i have selected the same trusted CA server which is used for live gateways and also have replicated the same DN details into it, is it possible that due to WAN interfaces was physically disabled on maestro due to that the CSR was not able to pull the IP details into it? or could it be that while signing the certificate we have to mention the SAN details explicitly not sure about this.

the_rock

Im not expert by any means when it comes to certificates (never was), but to me, sounds like there could be 2 reasons:

1) CSR did not include the right IP

2) SAN must be defined

Andy

PhoneBoy

The whole point of DAIP is not to be tied to an IP.
Which means the SAN does not need to include the IP as it will necessarily change...because DAIP.

RPawar

Hello PhoneBoy,

I completely agree with your point but in this case the peer Gateway will be having dynamic IP and the local GW (live DC 5600 cluster) has a single WAN IP. The certificate that is being uploaded on both end Peer and Local is signed by same Trusted CA

PhoneBoy

Even so, the (lack of) SAN IP hasn't presented an issue that I'm aware of.
If you want 100% confirmation, check with TAC.