Clarification on sk108600 - VPN with 3rd parties

Alex-

We have a VPN where the remote party expects a PSK and an FQDN.

We never had to do this before so we'd be grateful for experience feedback from those who have.

I've checked sk108600 VPN Site-to-Site with 3rd Party and would like some clarification:

- On VSX, do we need to edit the CPProfile files under the specific VS? I would assume yes but it's not explicitly mentioned

- Renewing the IPSEC Certificate and adding the FQDN as SAN will not matter in the case of PSK

- There is a procedure to export the values directly to system variables but it doesn't enforce the change, so a reboot is mandatory to make them active

Thanks for any insights.

EDIT: Point 2 is actually covered in the notes of the SK.

PhoneBoy

I assume you would do this at the VS level, yes.
Because these environment variables affect multiple processes, it requires a restart of the gateway/VS, which cpstop/cpstart should do when in the relevant VS context.

Alex-

It seems to work. We can see the FQDN being added in the IKEv2 negotiation when debugging VPN.

<Payloads>
			<Payload Type="IDi" Next="Auth" Length="26" Critical="No">
				<Type>FQDN</Type>
				<Data>MyFQDN</Data>
			</Payload>
			<Payload Type="Auth" Next="Notify" Length="72" Critical="No">
				<Method>Shared Secret</Method>

We will test with the relevant partner asking for this feature.

the_rock

I meant to reply this morning, but got tied up with something else, but Phoneboy gave the right method. Its definitely on VS level. I had client who had this issue and thats what TAC ended up suggesting as well.

Andy

Are you a member of CheckMates?

Clarification on sk108600 - VPN with 3rd parties