Re: [OSL | CCIE_Security] Certificate with Atlernative name

[Tyson Scott]

If you didn't want to use "crypto isakmp identity dn" then you would need to
set your cn=<ip of router/asa>

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto:  <mailto:tsc...@ipexpert.com> tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com> www.ipexpert.com

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: Tuesday, February 23, 2010 10:49 AM
To: Brandon Carroll
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Certificate with Atlernative name

 

Hi Brandon

 

The same issue is seen even when I try to connect a VPN client to an IOS
router.

 

Lab 4A-4B section 4.6 EzVPN Server IOS.

 

 

In the solution, the IOS EzVPN server as enrolled with "cn".

 

 

With both ASA L2L with IOS router and Windows based EzVPN client with IOS
EzVPN server, they both expect that the identity id sent in the IKE message
should match the name is the certificate.

 

By default, the IOS router sends the hostname as IKE ID and hence the peer
id validity fails.

 

We have two solutions for that:

 

Either configure "crypto isakmp identity dn"

 

or 

 

Enroll certificate with cn=name and the name should be the same as the IKE
ID.

 

 

 

 

 

 

 

With regards

Kings

On Mon, Feb 22, 2010 at 8:52 PM, Brandon Carroll <bcarr...@ipexpert.com>
wrote:

Jimmy. Yes, That option defines the alternative name.

 

Regards,

 

Brandon Carroll - CCIE #23837

Senior Technical Instructor - IPexpert

Mailto: bcarr...@ipexpert.com

Telephone: +1.810.326.1444

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

::Message Sent from iPhone::

 

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/> . 


On Feb 22, 2010, at 2:35 AM, Kingsley Charles <kingsley.char...@gmail.com>
wrote:

Hi Brandon 

 

I did see that option of specifying FQDN both in router and ASA. But is thst
the Alternate Subject name?

 

 

 

 

With regads

Kings



 

On Mon, Feb 22, 2010 at 5:07 AM, Brandon Carroll <bcarr...@ipexpert.com>
wrote:

Kings- have you tried this:


ciscoasa(config-ca-trustpoint)# fqdn webvpn.cisco.com
<http://webvpn.cisco.com/> 

! Specifies the FQDN (DNS:) to be used as the subject alternative
name.

I think this may be what you're looking for.


Regards,

Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: bcarr...@ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
(R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com <http://www.ipexpert.com/> .




On Sat, Feb 20, 2010 at 10:13 AM, Kingsley Charles

<kingsley.char...@gmail.com> wrote:
> I have raised for the following reason:
>
>
> I am trying to bring L2L VPN between IOS router ASA. On the ASA, I get the
> following error message:
>
>
> Feb 20 01:57:42 [IKEv1]: Group = R3, IP = 162.1.13.3, Unable to compare
IKE
>  ID against peer cert Subject Alt Name
>
>
>
> If I have "peer id validate" with certificate, the tunnel comes up. It
seems
> the ASA is trying to match the Alt name with the IKE. Since, there is no
ALT
> name, the validation fails.
>
>
> The I tried adding CN as the hostname in the router during enrollment and
> then the tunnel came up without the need of peer id validate" with
> certificate on the ASA.
>
>
>
>
>
> With regards
> Kings
> On Sat, Feb 20, 2010 at 5:07 PM, Kingsley Charles
> <kingsley.char...@gmail.com> wrote:
>>
>> Hi all
>>
>> I have did it before but it's not striking ne now. When you enroll an IOS
>> router or ASA to a CA server, how do we include an Alternate name?
>>
>> Is CN and Atl Name the same?
>>
>>
>>
>> With regards
>> Kings
>

> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com <http://www.ipexpert.com/> 
>
>

 

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com