>From "Cisco ASA Configuration" by Richard Deal
http://books.google.com.sa/books?id=wn51t2Jv24wC&pg=PT430&lpg=PT430&dq=cisco+peer-id-validate&source=bl&ots=I3-TtCq-4F&sig=CCpBVbf5vIBtY_pj5KC3FeMa_a8&hl=ar&ei=P7jMStzfKtCg_AbLsJylBQ&sa=X&oi=book_result&ct=result&resnum=3&safe=active#v=onepage&q=cisco%20peer-id-validate&f=false
I quote from the book
"If you are using Certificates, use the Peer-id-validate command to specify
their usage:
Cert --> If both peers support Certificates and the use of Certificates is
negotiated during phase 1, then certificates will be used; otherwise pre-shared
keys will be used
nocheck --> Certificates are not used
Req --> Certificates must be used with this tunnel group or the L2L tunnel will
fail"
Regards,
Mohammed Gazzaz
> Date: Wed, 7 Oct 2009 17:27:40 +0200
> From: [email protected]
> To: [email protected]; [email protected]
> Subject: Re: [OSL | CCIE_Security] peer-id-validate
>
> Thank you, Tyson; but this is not what I was asking about.
> The algo of MM with certs on ASA is:
> - try to match the OU field to a tunnel-group name;
> - if such TG is not found - try to find TG which name matches
> the peer address;
> - if again not found - ASA gives up.
>
> The check I was asking about is done after the TG is found.
> And the question was - what does "cert" option mean?
> ---------------------------------
>
> 2009/10/7 Tyson Scott <[email protected]>:
> > When you configure certificates for an IPSec tunnel you will find that by
> > default it also send the OU. If this is the same OU as the ASA no
> > additional configuration is required. If the OU is different then you need
> > to specify the OU's that you will accept.
> >
> > Regards,
> >
> > Tyson Scott - CCIE #13513 R&S and Security
> > Technical Instructor - IPexpert, Inc.
> >
> > Telephone: +1.810.326.1444
> > Cell: +1.248.504.7309
> > Fax: +1.810.454.0130
> > Mailto: [email protected]
> >
> > Join our free online support and peer group communities:
> > http://www.IPexpert.com/communities
> >
> > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
> > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
> > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
> > Lab Certifications.
> >
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On Behalf Of
> > [email protected]
> > Sent: Wednesday, October 07, 2009 5:33 AM
> > To: [email protected]
> > Subject: [OSL | CCIE_Security] peer-id-validate
> >
> > Hello group,
> >
> > when doing ipsec with pki to asa, there's an option on asa to check
> > whether the peer-id sent in the identity payload of the 5th packet of the MM
> > exchange is identical to the DN (subject) of the peer cert:
> > tunnel-group <name> ipsec-attributes
> > peer-id-validate req|nocheck|cert
> >
> > while the first two options are clear (just -- check or do not check),
> > the "cert" option is somewhat obscure.
> > the command lookup at cisco says: "cert - if supported by cert".
> > what does that mean?
> > I believe each cert must have an DN field (cn, ou, etc)...
> > Or no?
> > Understanding that is important because ASA is set to require
> > the check by default, and, on the other hand, IOS sends IP address
> > as its id by default, so the MM will not succeed without tweaking with that.
> >
> > thank you.
> > _______________________________________________
> > For more information regarding industry leading CCIE Lab training, please
> > visit www.ipexpert.com
> >
> >
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail
you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
