peer id validate req merely means that the other side's ID must be checked in isakmp negotiations. Issue with this is that firewall doesnt check the certificate presented by the other end for the ID and the default identity presented by the other end is ip address. With peer id validate cert, firewall looks into the certificate for the remote end device ID. Remember that in isakmp negotiations, devices are supposed to verify each other Identity's. I am not sure about peer id validate nocheck/
P.S I am hardly an expert, so dont take my work for it. I have come across the issue and solved it as mentioned before, but the detailed info, I am not sure about. so waiting for the experts on the mailig list to chip in :) On Tue, Oct 13, 2009 at 4:59 PM, Kingsley Charles <[email protected]> wrote: > > > On Tue, Oct 13, 2009 at 7:21 PM, Kingsley Charles > <[email protected]> wrote: >> >> Yes, it worked. >> >> Thanks a lot. >> >> This command did strike me but I applied the IOS logic :-) >> >> >> >> Can you please tell me, for which cases we would use: >> >> peer-id-validate req >> peer-id-validate nocheck >> >> >> peer-id-validate req is used for "pre-shared" which is default, right? >> >> >> >> With regards >> Kings >> >> On Tue, Oct 13, 2009 at 7:11 PM, Badar Farooq <[email protected]> >> wrote: >>> >>> Well try this >>> tunnel-group X.X.X.X ipsec-attributes >>> peer-id-validate cert >>> >>> You will see the issue disappear :) >>> Basically peer-id-validate cert command is used to validate the >>> identity of the IPSec peer using its certificate. >>> >>> On Tue, Oct 13, 2009 at 4:29 PM, Kingsley Charles >>> <[email protected]> wrote: >>> > Hi all >>> > >>> > I am trying to bring up a site to site VPN between an IOS router (2800) >>> > and >>> > ASA. With pre-shared keys, the tunnel comes up but if I switch over to >>> > certificates it fails. I am using an IOS CA server. >>> > >>> > The "debug crypto isakmp" error displays the following error: >>> > >>> > >>> > "Unable to compare IKE ID against peer cert Subject Alt Name >>> > Initiator FSM error history (struct &0xc937a298) <state>, <event>: >>> > MM_DONE, EV_ERROR-->MM_I_DONE_H, EV_COMPARE_IDS-->MM_I_DONE_H, >>> > EV_CERT_OK-->MM_I_DONE_H, N >>> > ullEvent-->MM_I_DONE_H, EV_VALIDATE_CERT-->MM_I_DONE_H, >>> > EV_TEST_CERT-->MM_I_DONE >>> > _H, EV_CHECK_NAT_T-->MM_I_DONE_H, EV_GROUP_LOOKUP" >>> > >>> > >>> > >>> > On the ASA side, I have configured following that is necessary: >>> > >>> > crypto map mine 1 set trustpoint <name> >>> > >>> > tunnel-group X.X.X.X ipsec-attributes >>> > trust-point <name> >>> > >>> > >>> > Is there anything else that I need to configure? >>> > >>> > Please give your inputs. >>> > >>> > >>> > >>> > >>> > With regards >>> > Kings >>> > _______________________________________________ >>> > For more information regarding industry leading CCIE Lab training, >>> > please >>> > visit www.ipexpert.com >>> > >>> > >> > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
