I am trying to setup a L2L vpn between an ASA and router using digital certificates. I am using another router for as a CA. When isakmp tries to establish an SA, I see the following in a debug on the ASA:
Jul 05 2009 21:49:28: %PIX-7-713906: Group = R3.digitalcortex.local, IP = 172.16.123.2, Unable to compare IKE ID against peer cert Subject Alt Name I copied the certs from the ca router and compared the two certificates in windows. I saw the ASA cert contains an extra attribute: Subject Alt Name: DNS Name=ASA1.digitalcortex.local But the router cert does not contain this attribute. It seems the isakmp sa is failing because the router cert does not contain this attribute. Any idea how to make the router request this attribute in it's cert, or how to tell the asa to stop looking for this attribute? Thanks for your help
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
