I am sorry I guess I misunderstood the question. The "cert" option or "req" options are almost synonymous.
The difference is the flexibility of cert. "req" means it has to match a certificate during the Phase 1 negotiation in the X.509 Certificate Exchange. The cert option will use certificates if the X.509 exchange occurs during phase 1 negotiation but if it doesn't occur it will revert back to using pre-shared keys. Here is the best two lines that I could find on it. http://books.google.com/books?id=wn51t2Jv24wC&pg=PT430&lpg=PT430&dq=%22peer- id-validate%22&source=bl&ots=I3-TtCsX4G&sig=QA-zoB6z_QHJW5m--DwUndq0Mxg&hl=e n&ei=gL7MSo6wGoOmsgPq4O2XAQ&sa=X&oi=book_result&ct=result&resnum=8#v=onepage &q=%22peer-id-validate%22&f=false Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, October 07, 2009 11:28 AM To: [email protected]; Tyson Scott Subject: Re: [OSL | CCIE_Security] peer-id-validate Thank you, Tyson; but this is not what I was asking about. The algo of MM with certs on ASA is: - try to match the OU field to a tunnel-group name; - if such TG is not found - try to find TG which name matches the peer address; - if again not found - ASA gives up. The check I was asking about is done after the TG is found. And the question was - what does "cert" option mean? --------------------------------- 2009/10/7 Tyson Scott <[email protected]>: > When you configure certificates for an IPSec tunnel you will find that by > default it also send the OU. If this is the same OU as the ASA no > additional configuration is required. If the OU is different then you need > to specify the OU's that you will accept. > > Regards, > > Tyson Scott - CCIE #13513 R&S and Security > Technical Instructor - IPexpert, Inc. > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage > Lab Certifications. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Wednesday, October 07, 2009 5:33 AM > To: [email protected] > Subject: [OSL | CCIE_Security] peer-id-validate > > Hello group, > > when doing ipsec with pki to asa, there's an option on asa to check > whether the peer-id sent in the identity payload of the 5th packet of the MM > exchange is identical to the DN (subject) of the peer cert: > tunnel-group <name> ipsec-attributes > peer-id-validate req|nocheck|cert > > while the first two options are clear (just -- check or do not check), > the "cert" option is somewhat obscure. > the command lookup at cisco says: "cert - if supported by cert". > what does that mean? > I believe each cert must have an DN field (cn, ou, etc)... > Or no? > Understanding that is important because ASA is set to require > the check by default, and, on the other hand, IOS sends IP address > as its id by default, so the MM will not succeed without tweaking with that. > > thank you. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
