Hello group,
when doing ipsec with pki to asa, there's an option on asa to check
whether the peer-id sent in the identity payload of the 5th packet of the MM
exchange is identical to the DN (subject) of the peer cert:
tunnel-group <name> ipsec-attributes
peer-id-validate req|nocheck|cert
while the first two options are clear (just -- check or do not check),
the "cert" option is somewhat obscure.
the command lookup at cisco says: "cert - if supported by cert".
what does that mean?
I believe each cert must have an DN field (cn, ou, etc)...
Or no?
Understanding that is important because ASA is set to require
the check by default, and, on the other hand, IOS sends IP address
as its id by default, so the MM will not succeed without tweaking with that.
thank you.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
