When you configure certificates for an IPSec tunnel you will find that by default it also send the OU. If this is the same OU as the ASA no additional configuration is required. If the OU is different then you need to specify the OU's that you will accept.
Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, October 07, 2009 5:33 AM To: [email protected] Subject: [OSL | CCIE_Security] peer-id-validate Hello group, when doing ipsec with pki to asa, there's an option on asa to check whether the peer-id sent in the identity payload of the 5th packet of the MM exchange is identical to the DN (subject) of the peer cert: tunnel-group <name> ipsec-attributes peer-id-validate req|nocheck|cert while the first two options are clear (just -- check or do not check), the "cert" option is somewhat obscure. the command lookup at cisco says: "cert - if supported by cert". what does that mean? I believe each cert must have an DN field (cn, ou, etc)... Or no? Understanding that is important because ASA is set to require the check by default, and, on the other hand, IOS sends IP address as its id by default, so the MM will not succeed without tweaking with that. thank you. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
