I think he should also be made aware of the infamous peer-id validate option on the ASA :)
Thanks and regards Yogesh Gawankar --- On Tue, 8/24/10, Kingsley Charles <[email protected]> wrote: From: Kingsley Charles <[email protected]> Subject: Re: [OSL | CCIE_Security] Vol 1 Task 4.6 To: "Johan Bornman" <[email protected]> Cc: "Yogesh Gawankar" <[email protected]>, "OSL Security" <[email protected]> Date: Tuesday, August 24, 2010, 2:58 PM The task won't hint us. We need to be aware off when to use it. Both ASA and VPN client, strictly validate the cert and hence when you have L2L between ASA and IOS or connect VPN client to ASA or IOS server, then you need to have it configured. With regards Kings On Tue, Aug 24, 2010 at 10:24 AM, Johan Bornman <[email protected]> wrote: Thanks, Kings. Is the command compulsory when the VPN client or an ASA is involved? How will the task read in any other scenario where the VPN client/ASA is not involved? From: Kingsley Charles [mailto:[email protected]] Sent: 24 August 2010 06:45 AM To: Yogesh Gawankar Cc: OSL Security; Johan Bornman Subject: Re: [OSL | CCIE_Security] Vol 1 Task 4.6 This command sends the complete subject name in your cert. Very important command when you use digital certs that too when you the have VPN client or ASA on one of the remote peers. With regards Kings On Tue, Aug 24, 2010 at 6:54 AM, Yogesh Gawankar <[email protected]> wrote: If am not mistaken this command sends the certificate as the IKE ID so as to prevent PKI from breaking. I dont know what the question says but I am guessing it asks for rsa signatures as authentication methid (maybe L2L with certficates).You can use any IKE id as long as it appears in the certificate. Cheers Yogesh Gawankar --- On Tue, 8/24/10, Johan Bornman <[email protected]> wrote: From: Johan Bornman <[email protected]> Subject: [OSL | CCIE_Security] Vol 1 Task 4.6 To: "'OSL Security'" <[email protected]> Date: Tuesday, August 24, 2010, 4:56 AM Why this command in the solution and what in the task asks for it? crypto isakmp identity dn -----Inline Attachment Follows----- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
