Found the problem: You must validate the peer using certificates
tunnel-group R3.digitalcortex.local ipsec-attributes peer-id-validate cert now everything works. The default value is peer-id-validate req From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H. Mesiatowsky Sent: Wednesday, July 08, 2009 11:02 AM To: 'OSL Security' Subject: [OSL | CCIE_Security] IOS CA + L2L vpn between asa and ios I am trying to setup a L2L vpn between an ASA and router using digital certificates. I am using another router for as a CA. When isakmp tries to establish an SA, I see the following in a debug on the ASA: Jul 05 2009 21:49:28: %PIX-7-713906: Group = R3.digitalcortex.local, IP = 172.16.123.2, Unable to compare IKE ID against peer cert Subject Alt Name I copied the certs from the ca router and compared the two certificates in windows. I saw the ASA cert contains an extra attribute: Subject Alt Name: DNS Name=ASA1.digitalcortex.local But the router cert does not contain this attribute. It seems the isakmp sa is failing because the router cert does not contain this attribute. Any idea how to make the router request this attribute in it's cert, or how to tell the asa to stop looking for this attribute? Thanks for your help
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
