But in the lab, they will ask for specific policy :-( With regards Kings
On Tue, Feb 23, 2010 at 11:31 PM, Tyson Scott <[email protected]> wrote: > With the new client it seems the best thing to do is hardcode one that > matches. Like > > > > crypto isakmp policy 10 > > encryption aes 256 > > hash sha1 > > group 5 > > > > That one is the first tested by the client which makes it faster for > negotiation. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Tuesday, February 23, 2010 12:49 PM > *To:* Tyson Scott > *Cc:* Brandon Carroll; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] Certificate with Atlernative name > > > > There is one issue which is very consistent. When I connect the VPN client > to IOS server or ASA server, I get informational failure, where none of the > ISAKMP policies match the hardcoded policies on the server > > > > Not sure, what we should do when we get hit it in the lab :-( > > > > > > > > With regards > > Kings > > On Tue, Feb 23, 2010 at 11:04 PM, Tyson Scott <[email protected]> wrote: > > If you didn't want to use "crypto isakmp identity dn" then you would need > to set your cn=<ip of router/asa> > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, February 23, 2010 10:49 AM > *To:* Brandon Carroll > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Certificate with Atlernative name > > > > Hi Brandon > > > > The same issue is seen even when I try to connect a VPN client to an IOS > router. > > > > Lab 4A-4B section 4.6 EzVPN Server IOS. > > > > > > In the solution, the IOS EzVPN server as enrolled with "cn". > > > > > > With both ASA L2L with IOS router and Windows based EzVPN client with IOS > EzVPN server, they both expect that the identity id sent in the IKE message > should match the name is the certificate. > > > > By default, the IOS router sends the hostname as IKE ID and hence the peer > id validity fails. > > > > We have two solutions for that: > > > > Either configure "crypto isakmp identity dn" > > > > or > > > > Enroll certificate with cn=name and the name should be the same as the IKE > ID. > > > > > > > > > > > > > > > > With regards > > Kings > > On Mon, Feb 22, 2010 at 8:52 PM, Brandon Carroll <[email protected]> > wrote: > > Jimmy. Yes, That option defines the alternative name. > > > > Regards, > > > > Brandon Carroll - CCIE #23837 > > Senior Technical Instructor - IPexpert > > Mailto: [email protected] > > Telephone: +1.810.326.1444 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > ::Message Sent from iPhone:: > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > > On Feb 22, 2010, at 2:35 AM, Kingsley Charles <[email protected]> > wrote: > > Hi Brandon > > > > I did see that option of specifying FQDN both in router and ASA. But is > thst the Alternate Subject name? > > > > > > > > > > With regads > > Kings > > > > > > On Mon, Feb 22, 2010 at 5:07 AM, Brandon Carroll <[email protected]> > wrote: > > Kings- have you tried this: > > > ciscoasa(config-ca-trustpoint)# fqdn webvpn.cisco.com > > ! Specifies the FQDN (DNS:) to be used as the subject alternative > name. > > I think this may be what you're looking for. > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, > Security & Service Provider) Certification Training with locations > throughout the United States, Europe and Australia. Be sure to check > out our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com. > > > > > On Sat, Feb 20, 2010 at 10:13 AM, Kingsley Charles > > <[email protected]> wrote: > > I have raised for the following reason: > > > > > > I am trying to bring L2L VPN between IOS router ASA. On the ASA, I get > the > > following error message: > > > > > > Feb 20 01:57:42 [IKEv1]: Group = R3, IP = 162.1.13.3, Unable to compare > IKE > > ID against peer cert Subject Alt Name > > > > > > > > If I have "peer id validate" with certificate, the tunnel comes up. It > seems > > the ASA is trying to match the Alt name with the IKE. Since, there is no > ALT > > name, the validation fails. > > > > > > The I tried adding CN as the hostname in the router during enrollment and > > then the tunnel came up without the need of peer id validate" with > > certificate on the ASA. > > > > > > > > > > > > With regards > > Kings > > On Sat, Feb 20, 2010 at 5:07 PM, Kingsley Charles > > <[email protected]> wrote: > >> > >> Hi all > >> > >> I have did it before but it's not striking ne now. When you enroll an > IOS > >> router or ASA to a CA server, how do we include an Alternate name? > >> > >> Is CN and Atl Name the same? > >> > >> > >> > >> With regards > >> Kings > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
