Paul I have also struggled with this issue. I know the solution, i.e peer id validate cert but not the mechanism. And solutions guides seem to get it work without this command anyway
Waiting for someone to give a detail explanation. On Sat, Oct 17, 2009 at 9:27 PM, Paul Stewart <[email protected]> wrote: > With the ASA, I continually get "Unable to compare IKE ID against peer cert > Subject Alt Name". By changing the tunnel-group to "peer-id-validate cert", > everything is fine. However, according to the Cisco documentation, this > only validates the id against the certificate if the certificate supports > it. Setting it back to the default of "peer-id-validate req", would force > it to validate the id with the certificate or fail. Mine fails. So, I need > to understand the process that happens for validating a id to a > certificate. I am on lab 12 4.3 right now and cannot seem to resolve the > issue. I have also tried enabling certificate mapping rules. I can get the > sessions to land where I think they should, but they always fail the same > way. > > > Oct 17 14:24:57 [IKEv1 DEBUG]: IP = 6.6.156.5, processing notify payload > Oct 17 14:24:57 [IKEv1]: IP = 6.6.156.5, Automatic NAT Detection Status: > Remote end is NOT behind a NAT device This end is NOT behind a NAT > device > Oct 17 14:24:57 [IKEv1]: IP = 6.6.156.5, Trying to find group via cert > rules... > Oct 17 14:24:57 [IKEv1]: IP = 6.6.156.5, Connection landed on tunnel_group > 6.6.156.5 > Oct 17 14:24:57 [IKEv1 DEBUG]: Group = 6.6.156.5, IP = 6.6.156.5, peer ID > type 1 received (IPV4_ADDR) > Oct 17 14:24:57 [IKEv1]: Group = 6.6.156.5, IP = 6.6.156.5, Unable to > compare IKE ID against peer cert Subject Alt Name <<< > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
