S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

train_wreck · ‎2017-09-04

We are in the process of setting up a new Cisco RV340 in a site to site with a FVS336Gv3. We are using certificates, and have generated a cert for the RV340 and have successfully set it up with a S2S to a Cisco 1921.

We are trying the Netgear, and are getting the following log output from the VPN log:

Mon Sep 04 15:01:34 2017 (GMT -0500): [FVS336GV3] [IKE] ERROR:  Ignore information because ISAKMP-SA has not been established yet.
Mon Sep 04 15:01:34 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Sending Informational Exchange: notify payload[INVALID-ID-INFORMATION]
Mon Sep 04 15:01:34 2017 (GMT -0500): [FVS336GV3] [IKE] ERROR:  ID mismatched with subjectAltName.
Mon Sep 04 15:01:33 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  NAT not detected 
Mon Sep 04 15:01:33 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  NAT-D payload matches for CISCO_IP[500]
Mon Sep 04 15:01:33 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  NAT-D payload matches for NETGEAR_IP[500]
Mon Sep 04 15:01:32 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  NAT not detected 
Mon Sep 04 15:01:32 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  NAT-D payload matches for CISCO_IP[500]
Mon Sep 04 15:01:32 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  NAT-D payload matches for NETGEAR_IP[500]
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  For CISCO_IP[500], Selected NAT-T version: RFC 3947
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received Vendor ID: RFC 3947
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received Vendor ID: DPD
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  For CISCO_IP[500], Selected NAT-T version: RFC 3947

Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received Vendor ID: RFC 3947
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received Vendor ID: DPD
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Beginning Identity Protection mode.
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Received request for new phase 1 negotiation: NETGEAR_IP[500]<=>CISCO_IP[500]
Mon Sep 04 15:01:31 2017 (GMT -0500): [FVS336GV3] [IKE] INFO:  Configuration found for CISCO_IP[500].

The message "ID mismatched with subjectAltName" is where this is failing. The Cisco's cert does not have any data in the subjectAlternativeName field. I have regenerated with the value Cisco.site as the subjectAltName, but the Netgear produces the same error.

-What does the message "ID mismatched with subjectAltName." mean? If you put it in quotes on Google you literally get 10 results on the entire internet, most of which are for the source code for some program called "raccoon".

JohnC_V · ‎2017-09-06

Hi train_wreck,

It seems that you were trying to connect the NETGEAR VPN firewall to your Cisco with a site-to-site connection. As per checking on your logs that the NAT is also not detected. Is there a conflict between the LAN of the 2 routers? It also shows that the Netgear and the cisco has already seen each other as the negotiation on phase 1 is connected. You were stuck on phase 2. May you be able to check that?

Please refer on this article.

Regards,

train_wreck · ‎2017-09-07

Here are IKE & IPsec SA configs. Pretty sure everything matches....

Netgear IKENetgear IPsec SACisco IKE & SA configCisco IPSec Profile

JohnC_V · ‎2017-09-09

@train_wreck,

Thank you for the attachments.

I see that you do have the same configurations for IPSec on both routers. "ID mismatch with subjectAltName" refers to your identifiers which is the local and remote certificates that you are using. May I know if your Netgear router is running on its latest firmware version?

Regards,

train_wreck · ‎2017-09-11

Latest version (April 2017, the last one you guys will make apparently).

Here are certs..... I mentioned "Cisco.site" in the previous posts, I have regenerated the Cisco's cert numerous times in testing this, and all references to it on either routers have been changed to "Cisco5.site".

JohnC_V · ‎2017-09-12

@train_wreck,

It seems that everything should be ok now but it still not working. Let me inquire this case that you have and I'll get back to you immediately.

Regards,

JohnC_V · ‎2017-09-12

@train_wreck,

I've been thinking about the certificate that you have. Was it the same certificate that you've been to the Cisco 1921? I believe if the connection is still up and running from the Cisco 1921, you may need to create another certificate for the FVS336Gv3. May we be able to try to create another certificate just for the Netgear connection?

Regards,

S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

Re: S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

Re: S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

Re: S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

Re: S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

Re: S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."

Re: S2S VPN with Cisco RV340 - "ERROR: ID mismatched with subjectAltName."