Kings, I just did that lab 2 days ago and cant recall seeing that. Ill do that task again and look at it. I did however have to upgrade the IOS to T2 because with the T1 the EZVPN would not work properly.
Can you send me the output that you are seeing? Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. On Tue, Feb 23, 2010 at 7:48 AM, Kingsley Charles <[email protected]> wrote: > Hi Brandon > > The same issue is seen even when I try to connect a VPN client to an IOS > router. > > Lab 4A-4B section 4.6 EzVPN Server IOS. > > > In the solution, the IOS EzVPN server as enrolled with "cn". > > > With both ASA L2L with IOS router and Windows based EzVPN client with IOS > EzVPN server, they both expect that the identity id sent in the IKE message > should match the name is the certificate. > > By default, the IOS router sends the hostname as IKE ID and hence the peer > id validity fails. > > We have two solutions for that: > > Either configure "crypto isakmp identity dn" > > or > > Enroll certificate with cn=name and the name should be the same as the IKE > ID. > > > > > > > > With regards > Kings > > On Mon, Feb 22, 2010 at 8:52 PM, Brandon Carroll <[email protected]> > wrote: >> >> Jimmy. Yes, That option defines the alternative name. >> >> Regards, >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> ::Message Sent from iPhone:: >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com. >> On Feb 22, 2010, at 2:35 AM, Kingsley Charles <[email protected]> >> wrote: >> >> Hi Brandon >> >> I did see that option of specifying FQDN both in router and ASA. But is >> thst the Alternate Subject name? >> >> >> >> >> With regads >> Kings >> >> >> On Mon, Feb 22, 2010 at 5:07 AM, Brandon Carroll <[email protected]> >> wrote: >>> >>> Kings- have you tried this: >>> >>> >>> ciscoasa(config-ca-trustpoint)# fqdn webvpn.cisco.com >>> >>> ! Specifies the FQDN (DNS:) to be used as the subject alternative >>> name. >>> >>> I think this may be what you're looking for. >>> >>> >>> Regards, >>> >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: [email protected] >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, >>> Security & Service Provider) Certification Training with locations >>> throughout the United States, Europe and Australia. Be sure to check >>> out our online communities at www.ipexpert.com/communities and our >>> public website at www.ipexpert.com. >>> >>> >>> >>> >>> On Sat, Feb 20, 2010 at 10:13 AM, Kingsley Charles >>> <[email protected]> wrote: >>> > I have raised for the following reason: >>> > >>> > >>> > I am trying to bring L2L VPN between IOS router ASA. On the ASA, I get >>> > the >>> > following error message: >>> > >>> > >>> > Feb 20 01:57:42 [IKEv1]: Group = R3, IP = 162.1.13.3, Unable to compare >>> > IKE >>> > ID against peer cert Subject Alt Name >>> > >>> > >>> > >>> > If I have "peer id validate" with certificate, the tunnel comes up. It >>> > seems >>> > the ASA is trying to match the Alt name with the IKE. Since, there is >>> > no ALT >>> > name, the validation fails. >>> > >>> > >>> > The I tried adding CN as the hostname in the router during enrollment >>> > and >>> > then the tunnel came up without the need of peer id validate" with >>> > certificate on the ASA. >>> > >>> > >>> > >>> > >>> > >>> > With regards >>> > Kings >>> > On Sat, Feb 20, 2010 at 5:07 PM, Kingsley Charles >>> > <[email protected]> wrote: >>> >> >>> >> Hi all >>> >> >>> >> I have did it before but it's not striking ne now. When you enroll an >>> >> IOS >>> >> router or ASA to a CA server, how do we include an Alternate name? >>> >> >>> >> Is CN and Atl Name the same? >>> >> >>> >> >>> >> >>> >> With regards >>> >> Kings >>> > >>> > _______________________________________________ >>> > For more information regarding industry leading CCIE Lab training, >>> > please >>> > visit www.ipexpert.com >>> > >>> > >> > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
