Cisco Cisco Packet Data Gateway (PDG) Guía Para Resolver Problemas
Engineering Rules
▀ X.509 Certificate (CERT) Restrictions
▄ Cisco ASR 5000 Series Packet Data Interworking Function Administration Guide
OL-22963-01
X.509 Certificate (CERT) Restrictions
The following are known restrictions for the creation and use of X.509 CERT:
The maximum size of CERT configuration is 1K bytes.
The PDIF includes the CERT payload only in the first IKE_AUTH Response for the first authentication.
The CERT payload will be sent in the AUTH response, if configured, irrespective of receiving CERT-REQ
payload in the first IKEv2 AUTH request.
The PDIF will not process a CERT payload from the MS and will respond accordingly (with
INVALID_SYNTAX) if the CRITICAL bit is set in the payload.
If the PDIF receives the CERT-REQ payload with the CRITICAL bit set in the IKE_AUTH request, the PDIF
will reject the exchange. If the CRITICAL bit is not set, then the PDIF ignores the payload and proceeds with
the exchange.
the exchange.
Only a single CERT payload is supported. While [RFC-4306] mandates the support of up to 4 certificates, the
PDIF service will support only one X.509 certificate per context. This is due to the size of an X.509 certificate.
Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH message not being
properly transmitted.
Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH message not being
properly transmitted.