Kings, You are right. The validation process (comparing IKE_ID to the certificate payload) is not always performed, but the VPN Client specifically does it and you should always make sure to force the peer to send DN as IKE_ID (otherwise the client sees NULL in the cert payload and validation fails). Regarding the ASA - I found it depends on the soft version you have there. I would recommend you to configure CN=FQDN and set IKE_ID to DN. If you still experience any problems on ASA, turn off validation using "peer-id-validate" command.
-- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Tue, Feb 23, 2010 at 4:48 PM, Kingsley Charles < [email protected]> wrote: > Hi Brandon > > The same issue is seen even when I try to connect a VPN client to an IOS > router. > > Lab 4A-4B section 4.6 EzVPN Server IOS. > > > In the solution, the IOS EzVPN server as enrolled with "cn". > > > With both ASA L2L with IOS router and Windows based EzVPN client with IOS > EzVPN server, they both expect that the identity id sent in the IKE message > should match the name is the certificate. > > By default, the IOS router sends the hostname as IKE ID and hence the peer > id validity fails. > > We have two solutions for that: > > Either configure "crypto isakmp identity dn" > > or > > Enroll certificate with cn=name and the name should be the same as the IKE > ID. > > > > > > > > With regards > Kings > > On Mon, Feb 22, 2010 at 8:52 PM, Brandon Carroll <[email protected]>wrote: > >> Jimmy. Yes, That option defines the alternative name. >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: <[email protected]>[email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: <http://www.ipexpert.com/chat> >> www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> ::Message Sent from iPhone:: >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com. >> >> On Feb 22, 2010, at 2:35 AM, Kingsley Charles <[email protected]> >> wrote: >> >> Hi Brandon >> >> I did see that option of specifying FQDN both in router and ASA. But is >> thst the Alternate Subject name? >> >> >> >> >> With regads >> Kings >> >> >> >> On Mon, Feb 22, 2010 at 5:07 AM, Brandon Carroll <<[email protected]> >> [email protected]> wrote: >> >>> Kings- have you tried this: >>> >>> >>> ciscoasa(config-ca-trustpoint)# fqdn <http://webvpn.cisco.com/> >>> webvpn.cisco.com >>> >>> ! Specifies the FQDN (DNS:) to be used as the subject alternative >>> name. >>> >>> I think this may be what you're looking for. >>> >>> >>> Regards, >>> >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: <[email protected]>[email protected] >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat> >>> www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, >>> Security & Service Provider) Certification Training with locations >>> throughout the United States, Europe and Australia. Be sure to check >>> out our online communities at <http://www.ipexpert.com/communities> >>> www.ipexpert.com/communities and our >>> public website at <http://www.ipexpert.com/>www.ipexpert.com. >>> >>> >>> >>> >>> On Sat, Feb 20, 2010 at 10:13 AM, Kingsley Charles >>> < <[email protected]>[email protected]> wrote: >>> > I have raised for the following reason: >>> > >>> > >>> > I am trying to bring L2L VPN between IOS router ASA. On the ASA, I get >>> the >>> > following error message: >>> > >>> > >>> > Feb 20 01:57:42 [IKEv1]: Group = R3, IP = 162.1.13.3, Unable to compare >>> IKE >>> > ID against peer cert Subject Alt Name >>> > >>> > >>> > >>> > If I have "peer id validate" with certificate, the tunnel comes up. It >>> seems >>> > the ASA is trying to match the Alt name with the IKE. Since, there is >>> no ALT >>> > name, the validation fails. >>> > >>> > >>> > The I tried adding CN as the hostname in the router during enrollment >>> and >>> > then the tunnel came up without the need of peer id validate" with >>> > certificate on the ASA. >>> > >>> > >>> > >>> > >>> > >>> > With regards >>> > Kings >>> > On Sat, Feb 20, 2010 at 5:07 PM, Kingsley Charles >>> > < <[email protected]>[email protected]> wrote: >>> >> >>> >> Hi all >>> >> >>> >> I have did it before but it's not striking ne now. When you enroll an >>> IOS >>> >> router or ASA to a CA server, how do we include an Alternate name? >>> >> >>> >> Is CN and Atl Name the same? >>> >> >>> >> >>> >> >>> >> With regards >>> >> Kings >>> > >>> > _______________________________________________ >>> > For more information regarding industry leading CCIE Lab training, >>> please >>> > visit <http://www.ipexpert.com/>www.ipexpert.com >>> > >>> > >>> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
