Kings, It depends on the question wording - if it is needed they may tell you this. Otherwise go ahead and ask the proctor.
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Wed, Feb 24, 2010 at 12:31 PM, Kingsley Charles < [email protected]> wrote: > Hi Piotr > > You are correct, we need to turn off the validation on the ASA. Will that > be fine in the real lab? > > With regards > Kings > > On Tue, Feb 23, 2010 at 11:40 PM, Piotr Kaluzny <[email protected]>wrote: > >> Kings, >> >> You are right. The validation process (comparing IKE_ID to the certificate >> payload) is not always performed, but the VPN Client specifically does it >> and you should always make sure to force the peer to send DN as IKE_ID >> (otherwise the client sees NULL in the cert payload and validation fails). >> Regarding the ASA - I found it depends on the soft version you have there. I >> would recommend you to configure CN=FQDN and set IKE_ID to DN. If you still >> experience any problems on ASA, turn off validation using "peer-id-validate" >> command. >> >> >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >> >> >> On Tue, Feb 23, 2010 at 4:48 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi Brandon >>> >>> The same issue is seen even when I try to connect a VPN client to an IOS >>> router. >>> >>> Lab 4A-4B section 4.6 EzVPN Server IOS. >>> >>> >>> In the solution, the IOS EzVPN server as enrolled with "cn". >>> >>> >>> With both ASA L2L with IOS router and Windows based EzVPN client with IOS >>> EzVPN server, they both expect that the identity id sent in the IKE message >>> should match the name is the certificate. >>> >>> By default, the IOS router sends the hostname as IKE ID and hence the >>> peer id validity fails. >>> >>> We have two solutions for that: >>> >>> Either configure "crypto isakmp identity dn" >>> >>> or >>> >>> Enroll certificate with cn=name and the name should be the same as the >>> IKE ID. >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> On Mon, Feb 22, 2010 at 8:52 PM, Brandon Carroll < >>> [email protected]> wrote: >>> >>>> Jimmy. Yes, That option defines the alternative name. >>>> >>>> Regards, >>>> >>>> Brandon Carroll - CCIE #23837 >>>> Senior Technical Instructor - IPexpert >>>> Mailto: <[email protected]>[email protected] >>>> Telephone: +1.810.326.1444 >>>> Live Assistance, Please visit: <http://www.ipexpert.com/chat> >>>> www.ipexpert.com/chat >>>> eFax: +1.810.454.0130 >>>> >>>> ::Message Sent from iPhone:: >>>> >>>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >>>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >>>> Service Provider) Certification Training with locations throughout the >>>> United States, Europe and Australia. Be sure to check out our online >>>> communities at www.ipexpert.com/communities and our public website at >>>> www.ipexpert.com. >>>> >>>> On Feb 22, 2010, at 2:35 AM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>> Hi Brandon >>>> >>>> I did see that option of specifying FQDN both in router and ASA. But is >>>> thst the Alternate Subject name? >>>> >>>> >>>> >>>> >>>> With regads >>>> Kings >>>> >>>> >>>> >>>> On Mon, Feb 22, 2010 at 5:07 AM, Brandon Carroll <<[email protected]> >>>> [email protected]> wrote: >>>> >>>>> Kings- have you tried this: >>>>> >>>>> >>>>> ciscoasa(config-ca-trustpoint)# fqdn <http://webvpn.cisco.com/> >>>>> webvpn.cisco.com >>>>> >>>>> ! Specifies the FQDN (DNS:) to be used as the subject alternative >>>>> name. >>>>> >>>>> I think this may be what you're looking for. >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Brandon Carroll - CCIE #23837 >>>>> Senior Technical Instructor - IPexpert >>>>> Mailto: <[email protected]>[email protected] >>>>> Telephone: +1.810.326.1444 >>>>> Live Assistance, Please visit: <http://www.ipexpert.com/chat> >>>>> www.ipexpert.com/chat >>>>> eFax: +1.810.454.0130 >>>>> >>>>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >>>>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, >>>>> Security & Service Provider) Certification Training with locations >>>>> throughout the United States, Europe and Australia. Be sure to check >>>>> out our online communities at <http://www.ipexpert.com/communities> >>>>> www.ipexpert.com/communities and our >>>>> public website at <http://www.ipexpert.com/>www.ipexpert.com. >>>>> >>>>> >>>>> >>>>> >>>>> On Sat, Feb 20, 2010 at 10:13 AM, Kingsley Charles >>>>> < <[email protected]>[email protected]> wrote: >>>>> > I have raised for the following reason: >>>>> > >>>>> > >>>>> > I am trying to bring L2L VPN between IOS router ASA. On the ASA, I >>>>> get the >>>>> > following error message: >>>>> > >>>>> > >>>>> > Feb 20 01:57:42 [IKEv1]: Group = R3, IP = 162.1.13.3, Unable to >>>>> compare IKE >>>>> > ID against peer cert Subject Alt Name >>>>> > >>>>> > >>>>> > >>>>> > If I have "peer id validate" with certificate, the tunnel comes up. >>>>> It seems >>>>> > the ASA is trying to match the Alt name with the IKE. Since, there is >>>>> no ALT >>>>> > name, the validation fails. >>>>> > >>>>> > >>>>> > The I tried adding CN as the hostname in the router during enrollment >>>>> and >>>>> > then the tunnel came up without the need of peer id validate" with >>>>> > certificate on the ASA. >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > With regards >>>>> > Kings >>>>> > On Sat, Feb 20, 2010 at 5:07 PM, Kingsley Charles >>>>> > < <[email protected]>[email protected]> wrote: >>>>> >> >>>>> >> Hi all >>>>> >> >>>>> >> I have did it before but it's not striking ne now. When you enroll >>>>> an IOS >>>>> >> router or ASA to a CA server, how do we include an Alternate name? >>>>> >> >>>>> >> Is CN and Atl Name the same? >>>>> >> >>>>> >> >>>>> >> >>>>> >> With regards >>>>> >> Kings >>>>> > >>>>> > _______________________________________________ >>>>> > For more information regarding industry leading CCIE Lab training, >>>>> please >>>>> > visit <http://www.ipexpert.com/>www.ipexpert.com >>>>> > >>>>> > >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
