Does anyone have an example of this configuration in a lab? I am having trouble finding anything like it in the cisco docs. Thanks, Roger
On Wed, Oct 7, 2009 at 8:27 AM, Tyson Scott <[email protected]> wrote: > When you configure certificates for an IPSec tunnel you will find that by > default it also send the OU. If this is the same OU as the ASA no > additional configuration is required. If the OU is different then you need > to specify the OU's that you will accept. > > Regards, > > Tyson Scott - CCIE #13513 R&S and Security > Technical Instructor - IPexpert, Inc. > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage > Lab Certifications. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Wednesday, October 07, 2009 5:33 AM > To: [email protected] > Subject: [OSL | CCIE_Security] peer-id-validate > > Hello group, > > when doing ipsec with pki to asa, there's an option on asa to check > whether the peer-id sent in the identity payload of the 5th packet of the > MM > exchange is identical to the DN (subject) of the peer cert: > tunnel-group <name> ipsec-attributes > peer-id-validate req|nocheck|cert > > while the first two options are clear (just -- check or do not check), > the "cert" option is somewhat obscure. > the command lookup at cisco says: "cert - if supported by cert". > what does that mean? > I believe each cert must have an DN field (cn, ou, etc)... > Or no? > Understanding that is important because ASA is set to require > the check by default, and, on the other hand, IOS sends IP address > as its id by default, so the MM will not succeed without tweaking with > that. > > thank you. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
