With the ASA, I continually get "Unable to compare IKE ID against peer cert Subject Alt Name". By changing the tunnel-group to "peer-id-validate cert", everything is fine. However, according to the Cisco documentation, this only validates the id against the certificate if the certificate supports it. Setting it back to the default of "peer-id-validate req", would force it to validate the id with the certificate or fail. Mine fails. So, I need to understand the process that happens for validating a id to a certificate. I am on lab 12 4.3 right now and cannot seem to resolve the issue. I have also tried enabling certificate mapping rules. I can get the sessions to land where I think they should, but they always fail the same way.
Oct 17 14:24:57 [IKEv1 DEBUG]: IP = 6.6.156.5, processing notify payload Oct 17 14:24:57 [IKEv1]: IP = 6.6.156.5, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Oct 17 14:24:57 [IKEv1]: IP = 6.6.156.5, Trying to find group via cert rules... Oct 17 14:24:57 [IKEv1]: IP = 6.6.156.5, Connection landed on tunnel_group 6.6.156.5 Oct 17 14:24:57 [IKEv1 DEBUG]: Group = 6.6.156.5, IP = 6.6.156.5, peer ID type 1 received (IPV4_ADDR) Oct 17 14:24:57 [IKEv1]: Group = 6.6.156.5, IP = 6.6.156.5, Unable to compare IKE ID against peer cert Subject Alt Name <<<
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
