Well try this
tunnel-group X.X.X.X ipsec-attributes
peer-id-validate cert
You will see the issue disappear :)
Basically peer-id-validate cert command is used to validate the
identity of the IPSec peer using its certificate.
On Tue, Oct 13, 2009 at 4:29 PM, Kingsley Charles
<[email protected]> wrote:
> Hi all
>
> I am trying to bring up a site to site VPN between an IOS router (2800) and
> ASA. With pre-shared keys, the tunnel comes up but if I switch over to
> certificates it fails. I am using an IOS CA server.
>
> The "debug crypto isakmp" error displays the following error:
>
>
> "Unable to compare IKE ID against peer cert Subject Alt Name
> Initiator FSM error history (struct &0xc937a298) <state>, <event>:
> MM_DONE, EV_ERROR-->MM_I_DONE_H, EV_COMPARE_IDS-->MM_I_DONE_H,
> EV_CERT_OK-->MM_I_DONE_H, N
> ullEvent-->MM_I_DONE_H, EV_VALIDATE_CERT-->MM_I_DONE_H,
> EV_TEST_CERT-->MM_I_DONE
> _H, EV_CHECK_NAT_T-->MM_I_DONE_H, EV_GROUP_LOOKUP"
>
>
>
> On the ASA side, I have configured following that is necessary:
>
> crypto map mine 1 set trustpoint <name>
>
> tunnel-group X.X.X.X ipsec-attributes
> trust-point <name>
>
>
> Is there anything else that I need to configure?
>
> Please give your inputs.
>
>
>
>
> With regards
> Kings
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
