Pentru cine/ORIcine e dispus sa ajute un biet junior in ale vpn-ului 
Scenariul in mare e Site-to-Site, cu certificate, IKEv1, versus NetScreen 5200 – 6.2.0r2. Identificarea peer-ilor vreau sa o fac cu ID_FQDN, deoarece urmeaza sa pun NAT intre locatii, si deci nu pot identifica peer-ii dupa IP 
In certificatele de pe Initiator am CN=peer$i, unde i e de la 1 la 30.
Pe NetScreen am create mai multe DynamicIKE peer-i pentru care am facut Identificare dupa CN=peer1 – primul gateway, CN=peer2 – al doilea gateway…samd.
In momentul in care prima cerere de tunel vine de la primul gateway (care are si certificat cu CN=peer1), NetScreen-ul trateaza cererea de tunel prin primul dynamic ike: anume cel care isi identifica peer-ul prin CN=peer1. Tunelul se creeaza corect.
Problema este ca, in momentul in care pe NetScreen ajunge a doua cerere de tunel, venita din partea peer-ul 2, care are in certificat CN=peer2, NetScreen-ul incearca sa trateze cererea tot prin primul dynamic ike (cel care astepta un peer cu CN=peer1). Evident, nu se gaseste niciun ID (see log attached below), iar Juniper-ul nici nu mai incearca sa trateze cererea pe al doilea dynamic ike (care chiar asteapta un peer cu CN=peer2) – si faileaza tunelul.
Cum trebuie sa configurez pe NetScreen, astfel incat fiecare dynamic ike sa trateze cererea de tunel corespunzatoare Identification-ului cu care a fost configurat: dynamic ike care asteapta CN=peer1 sa trateze cererile de tunel de la peer-ul care are in certificat CN=peer1, dynamic ike care asteapta CN=peer2 sa trateze cererile de tunel de la peer-ul care are in certificat CN=peer2 …samd
## 2009-06-12 18:40:28 : IKE<157.11.0.2> Found peer entry (1s2sRNAT1) from 157.11.0.2.
## 2009-06-12 18:40:28 : responder create sa: 157.11.0.2->170.2.0.1
## 2009-06-12 18:40:28 : init p1sa, pidt = 0×0
## 2009-06-12 18:40:28 : change peer identity for p1 sa, pidt = 0×0
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0>
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > create peer identity 0x3b3afe1c
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1>
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2>
## 2009-06-12 18:40:28 : peer identity 3b3afe1c created.
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > EDIPI disabled
## 2009-06-12 18:40:28 : IKE<157.11.0.2> getProfileFromP1Proposal->
–output omitted–
## 2009-06-12 18:40:28 : IKE<157.11.0.2> Found peer entry (1s2sRNAT1) from 157.11.0.2.
## 2009-06-12 18:40:28 : responder create sa: 157.11.0.2->170.2.0.1
## 2009-06-12 18:40:28 : init p1sa, pidt = 0×0
## 2009-06-12 18:40:28 : change peer identity for p1 sa, pidt = 0×0
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > peer_identity_create_with_uid: uid<0>
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > create peer identity 0x3b3afe1c
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry before add <1>
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > peer_identity_add_to_peer: num entry after add <2>
## 2009-06-12 18:40:28 : peer identity 3b3afe1c created.
## 2009-06-12 18:40:28 : IKE<0.0.0.0 > EDIPI disabled
## 2009-06-12 18:40:28 : IKE<157.11.0.2> getProfileFromP1Proposal->
–output omitted–
Acel
1s2sRNAT1 indica dynamic peer-ul care asteapta o cerere de tunel cu certificat in care CN=peer1, nu peer2. 
Tags: nervi, passion, techie