Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Engineering Rules
X.509 Certificate (CERT) Restrictions ▀
ePDG Administration Guide, StarOS Release 18 ▄
119
X.509 Certificate (CERT) Restrictions
The following are known restrictions for the creation and use of X.509 CERT:
The maximum size of a CERT configuration is 4096 bytes.
The ePDG includes the CERT payload only in the first IKE_AUTH Response for the first authentication.
If the ePDG receives the CERT-REQ payload when it is not configured to use certificate authentication and if
the CRITICAL bit is set in the IKE_AUTH request, the ePDG will reject the exchange. If the ePDG receives
the CERT-REQ payload when it is not configured to use certificate authentication and if the CRITICAL bit is
not set, the ePDG ignores the payload and proceeds with the exchange to be authenticated using EAP.
the CERT-REQ payload when it is not configured to use certificate authentication and if the CRITICAL bit is
not set, the ePDG ignores the payload and proceeds with the exchange to be authenticated using EAP.
Only a single CERT payload is supported. While RFC 4306 mandates the support of up to four certificates, the
ePDG service will support only one X.509 certificate per context. This is due to the size of an X.509 certificate.
Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH message not being
properly transmitted.
Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH message not being
properly transmitted.