"Unable to get DN from certificate!" site to site with certificates

train_wreck · ‎12-09-2017

I have a 1921 that I am attempting to set up a site to site VPN to a Sophos XG firewall device. Both devices have certs signed with my personal CA, and the CA cert has been imported on both devices. I am seeing the following output in the error logs on the Cisco during connection attempt:

Dec 10 06:12:31.630: ISAKMP-ERROR: (1772):Unable to get DN from certificate!
Dec 10 06:12:31.634: %CRYPTO-6-IKMP_NO_ID_CERT_DN_MATCH: (NOT ERROR BUT WARNING ONLY)ID of cn=Sophos.pLAN9.co (type 9) and certificate DN with cn=Sophos.pLAN9.co

For some strange reason, the Cisco thinks that "cn=Sophos.pLAN9.co" does not match "cn=Sophos.pLAN9.co".... this makes absolutely no sense.

The Sophos has a cert with a DN of "cn=Sophos.pLAN9.co", which has been verified by running "openssl x509 -in <cert> -text -noout". There is nothing wrong with the certs on either side.

Any ideas? Can provide configs on both sides if needed, but the 1921 has the same crypto map settings for the Sophos that are used to connect to other devices with no problem.

Georg Pauwen · ‎12-10-2017

Hello,

on the Sophos, try and disable the 'Local ID and Remote ID' option in the IPSec profile altogether

If that doesn't help, post the configs of both sides.

train_wreck · ‎12-10-2017

The Sophos does not allow me to disable Local & Remote ID. When I get a moment, I will post the configurations from both sides.

The Sophos only allows the following options for IDs:

DNS
FQDN
Email Address
DER ASN1 DN

I have set the 1921 to use "crypto isakmp identity DN", Should I perhaps use a different identity?

Georg Pauwen · ‎12-10-2017

Hello,

try 'crypto isakmp identify hostname', where the hostname should be the FQDN you are already using as DN. It is essentially the same thing as using the DN, but maybe it works...