Roger,
Configuration of Using Certs on an ASA for IPsec? Lab12 has it. as does another lab, but I can't think of it off the top of my head. I will have to look. I will say I need to revisit the question on Lab12 because I was having problems with it at the time. Maybe an off day. The configuration that is shown should definitely work but I didn't get it working at the time. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Roger Cheeks [mailto:[email protected]] Sent: Wednesday, October 07, 2009 9:44 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] peer-id-validate Does anyone have an example of this configuration in a lab? I am having trouble finding anything like it in the cisco docs. Thanks, Roger On Wed, Oct 7, 2009 at 8:27 AM, Tyson Scott <[email protected]> wrote: When you configure certificates for an IPSec tunnel you will find that by default it also send the OU. If this is the same OU as the ASA no additional configuration is required. If the OU is different then you need to specify the OU's that you will accept. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, October 07, 2009 5:33 AM To: [email protected] Subject: [OSL | CCIE_Security] peer-id-validate Hello group, when doing ipsec with pki to asa, there's an option on asa to check whether the peer-id sent in the identity payload of the 5th packet of the MM exchange is identical to the DN (subject) of the peer cert: tunnel-group <name> ipsec-attributes peer-id-validate req|nocheck|cert while the first two options are clear (just -- check or do not check), the "cert" option is somewhat obscure. the command lookup at cisco says: "cert - if supported by cert". what does that mean? I believe each cert must have an DN field (cn, ou, etc)... Or no? Understanding that is important because ASA is set to require the check by default, and, on the other hand, IOS sends IP address as its id by default, so the MM will not succeed without tweaking with that. thank you. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
