On Tue, Oct 13, 2009 at 7:21 PM, Kingsley Charles < [email protected]> wrote:
> Yes, it worked. > > Thanks a lot. > > This command did strike me but I applied the IOS logic :-) > > > > Can you please tell me, for which cases we would use: > > peer-id-validate req > peer-id-validate nocheck > > > peer-id-validate req is used for "pre-shared" which is default, right? > > > > With regards > Kings > > On Tue, Oct 13, 2009 at 7:11 PM, Badar Farooq <[email protected]>wrote: > >> Well try this >> tunnel-group X.X.X.X ipsec-attributes >> peer-id-validate cert >> >> You will see the issue disappear :) >> Basically peer-id-validate cert command is used to validate the >> identity of the IPSec peer using its certificate. >> >> On Tue, Oct 13, 2009 at 4:29 PM, Kingsley Charles >> <[email protected]> wrote: >> > Hi all >> > >> > I am trying to bring up a site to site VPN between an IOS router (2800) >> and >> > ASA. With pre-shared keys, the tunnel comes up but if I switch over to >> > certificates it fails. I am using an IOS CA server. >> > >> > The "debug crypto isakmp" error displays the following error: >> > >> > >> > "Unable to compare IKE ID against peer cert Subject Alt Name >> > Initiator FSM error history (struct &0xc937a298) <state>, <event>: >> > MM_DONE, EV_ERROR-->MM_I_DONE_H, EV_COMPARE_IDS-->MM_I_DONE_H, >> > EV_CERT_OK-->MM_I_DONE_H, N >> > ullEvent-->MM_I_DONE_H, EV_VALIDATE_CERT-->MM_I_DONE_H, >> > EV_TEST_CERT-->MM_I_DONE >> > _H, EV_CHECK_NAT_T-->MM_I_DONE_H, EV_GROUP_LOOKUP" >> > >> > >> > >> > On the ASA side, I have configured following that is necessary: >> > >> > crypto map mine 1 set trustpoint <name> >> > >> > tunnel-group X.X.X.X ipsec-attributes >> > trust-point <name> >> > >> > >> > Is there anything else that I need to configure? >> > >> > Please give your inputs. >> > >> > >> > >> > >> > With regards >> > Kings >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> please >> > visit www.ipexpert.com >> > >> > >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
