diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index 5745ca8..08b97ed 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -389,6 +389,8 @@ case "$1" in
 
             pki --gen --type rsa --size 2048 --outform pem >${KEYFILE}
             pki --req --in ${KEYFILE} --type rsa --digest sha512 --dn "C=US, O=Wit, CN=${HOSTNAME}" --san "${HOSTNAME}" --outform pem | curl -6 --fail  -T - ${CACURLURL}/reqs/${REQFILE##*/}
+            # we wanna migrate to this DN once the new ipsec.conf is rolled out everywhere
+            #pki --req --in ${KEYFILE} --type rsa --digest sha512 --dn "C=US, O=Wit, OU=DCs, OU=PhyNodes, CN=${HOSTNAME}" --san "${HOSTNAME}" --outform pem | curl -6 --fail  -T - ${CACURLURL}/reqs/${REQFILE##*/}
 
             curl -6 --fail -so  ${CAFILE}   ${CACURLURL}/cacerts/${CAFILE##*/}
             curl -6 --fail -so  ${CRLFILE}  ${CACURLURL}/crls/${CRLFILE##*/}
diff --git a/templates/ipsec.conf.wit b/templates/ipsec.conf.wit
index 667b237..4daacf0 100644
--- a/templates/ipsec.conf.wit
+++ b/templates/ipsec.conf.wit
@@ -23,6 +23,7 @@ conn %default
     leftcert = FQHOSTNAME.crt
     leftid = "C=US, O=Wit, CN=FQHOSTNAME"
     rightid = "C=US, O=Wit, CN=*"
+    rightid2 = "C=US, O=Wit, OU=DCs, OU=PhyNodes, CN=*"
     auto = route