Comments inline.....
On Tue, Jul 13, 2010 at 1:17 PM, Yogesh Gawankar <[email protected]>wrote:
> Hi
>
> I am not quite sure about site to site using digital signatures. I have
> following 2 doubts:
>
>
> 1) When we use digital signatures for authentication the IKE id must match
> the subject name in the certificate. BUt what if i want to use a random
> string as the IKE ID and the subject name is say something else?
>
It is not the IKE ID should match the subject name. The subject name
should be present in the IKE ID for trusting the cert. Also this is required
by the VPN
client and the ASA only. IOS routers doesn't check for the match.
* Method 1*
With ASAs, configure tunnel group with IP address and configure remote
IPSec peer with "crypto isakmp identity dn", the validation on ASA will
suceed as
the IP address matches the IP address of the IKE messages.
* Method 2*
With ASA, if you configure tunnel group with name, then you need to
configure "crypto isakmp identity dn" and appropriate subject name in the
trustpoint
using "subject-name". With this IKE ID will match the subject name.
* Method 3*
With ASA, if you have configure tunnel group with name, then you can
configure "peer-id-validate nocheck" with removes the validation.
With VPN client, make sure you configure "crypto isakmp identity dn" on
the EzVPN server.
>
> 2) ASA uses the concept of tunnel groups for matching phase 1 connection.
> It first checks OU field in the cert,then the IKE id and finally ip address.
> What about IOS router? What does it do?
>
> Please help to clarify these concepts.
>
As the ASA uses tunnel groups, it uses that logic for matching the
tunnel group. This is not used in IOS as there is no tunnel group.
>
> Thanks and regards
> Yogesh
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
