In the below message, I am struggling with the following statement "That one is the first tested by the client which makes it faster for negotiation." I would typically look for a faster cipher and/or lower bit policy. I do like this thought process though. One other thing that I am trying to grasp is the "first tested by the client". In ISAKMP, the client would always be an initiator, and the router, firewall or concentrator would be the responder. I think the router would do the comparison not the client. The router should then only pass back the compatible policy and there is no need for comparison at the client.
> Message: 2 > Date: Wed, 24 Feb 2010 17:00:16 +0530 > From: Kingsley Charles <[email protected]> > Subject: Re: [OSL | CCIE_Security] Certificate with Atlernative name > To: Tyson Scott <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > But in the lab, they will ask for specific policy :-( > > With regards > Kings > > On Tue, Feb 23, 2010 at 11:31 PM, Tyson Scott <[email protected]> wrote: > >> With the new client it seems the best thing to do is hardcode one that >> matches. Like >> >> >> >> crypto isakmp policy 10 >> >> encryption aes 256 >> >> hash sha1 >> >> group 5 >> >> >> >> That one is the first tested by the client which makes it faster for >> negotiation. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, >> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service >> Provider) Certification Training with locations throughout the United >> States, Europe and Australia. Be sure to check out our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* Tuesday, February 23, 2010 12:49 PM >> *To:* Tyson Scott >> *Cc:* Brandon Carroll; [email protected] >> >> *Subject:* Re: [OSL | CCIE_Security] Certificate with Atlernative name >> >> >> >> There is one issue which is very consistent. When I connect the VPN client >> to IOS server or ASA server, I get informational failure, where none of the >> ISAKMP policies match the hardcoded policies on the server >> >> >> >> Not sure, what we should do when we get hit it in the lab :-( >> >> >> >> >> >> >> >> With regards >> >> Kings >> >> On Tue, Feb 23, 2010 at 11:04 PM, Tyson Scott <[email protected]> wrote: >> >> If you didn't want to use "crypto isakmp identity dn" then you would need >> to set your cn=<ip of router/asa> >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, >> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service >> Provider) Certification Training with locations throughout the United >> States, Europe and Australia. Be sure to check out our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley Charles >> *Sent:* Tuesday, February 23, 2010 10:49 AM >> *To:* Brandon Carroll >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Certificate with Atlernative name >> >> >> >> Hi Brandon >> >> >> >> The same issue is seen even when I try to connect a VPN client to an IOS >> router. >> >> >> >> Lab 4A-4B section 4.6 EzVPN Server IOS. >> >> >> >> >> >> In the solution, the IOS EzVPN server as enrolled with "cn". >> >> >> >> >> >> With both ASA L2L with IOS router and Windows based EzVPN client with IOS >> EzVPN server, they both expect that the identity id sent in the IKE message >> should match the name is the certificate. >> >> >> >> By default, the IOS router sends the hostname as IKE ID and hence the peer >> id validity fails. >> >> >> >> We have two solutions for that: >> >> >> >> Either configure "crypto isakmp identity dn" >> >> >> >> or >> >> >> >> Enroll certificate with cn=name and the name should be the same as the IKE >> ID. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> With regards >> >> Kings >> >> On Mon, Feb 22, 2010 at 8:52 PM, Brandon Carroll <[email protected]> >> wrote: >> >> Jimmy. Yes, That option defines the alternative name. >> >> >> >> Regards, >> >> >> >> Brandon Carroll - CCIE #23837 >> >> Senior Technical Instructor - IPexpert >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> ::Message Sent from iPhone:: >> >> >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, >> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service >> Provider) Certification Training with locations throughout the United >> States, Europe and Australia. Be sure to check out our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com. >> >> >> On Feb 22, 2010, at 2:35 AM, Kingsley Charles <[email protected]> >> wrote: >> >> Hi Brandon >> >> >> >> I did see that option of specifying FQDN both in router and ASA. But is >> thst the Alternate Subject name? >> >> >> >> >> >> >> >> >> >> With regads >> >> Kings >> >> >> >> >> >> On Mon, Feb 22, 2010 at 5:07 AM, Brandon Carroll <[email protected]> >> wrote: >> >> Kings- have you tried this: >> >> >> ciscoasa(config-ca-trustpoint)# fqdn webvpn.cisco.com >> >> ! Specifies the FQDN (DNS:) to be used as the subject alternative >> name. >> >> I think this may be what you're looking for. >> >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, >> Security & Service Provider) Certification Training with locations >> throughout the United States, Europe and Australia. Be sure to check >> out our online communities at www.ipexpert.com/communities and our >> public website at www.ipexpert.com. >> >> >> >> >> On Sat, Feb 20, 2010 at 10:13 AM, Kingsley Charles >> >> <[email protected]> wrote: >> > I have raised for the following reason: >> > >> > >> > I am trying to bring L2L VPN between IOS router ASA. On the ASA, I get >> the >> > following error message: >> > >> > >> > Feb 20 01:57:42 [IKEv1]: Group = R3, IP = 162.1.13.3, Unable to compare >> IKE >> > ID against peer cert Subject Alt Name >> > >> > >> > >> > If I have "peer id validate" with certificate, the tunnel comes up. It >> seems >> > the ASA is trying to match the Alt name with the IKE. Since, there is no >> ALT >> > name, the validation fails. >> > >> > >> > The I tried adding CN as the hostname in the router during enrollment and >> > then the tunnel came up without the need of peer id validate" with >> > certificate on the ASA. >> > >> > >> > >> > >> > >> > With regards >> > Kings >> > On Sat, Feb 20, 2010 at 5:07 PM, Kingsley Charles >> > <[email protected]> wrote: >> >> >> >> Hi all >> >> >> >> I have did it before but it's not striking ne now. When you enroll an >> IOS >> >> router or ASA to a CA server, how do we include an Alternate name? >> >> >> >> Is CN and Atl Name the same? >> >> >> >> >> >> >> >> With regards >> >> Kings >> > >> >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, please >> > visit www.ipexpert.com >> > >> > >> >> >> >> >> >> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100224/5647d4d0/attachment.htm > > End of CCIE_Security Digest, Vol 44, Issue 80 > ********************************************* > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
