Thanks Kings and Yogesh.
From: Kingsley Charles [mailto:[email protected]] Sent: 24 August 2010 07:52 AM To: Yogesh Gawankar Cc: Johan Bornman; OSL Security Subject: Re: [OSL | CCIE_Security] Vol 1 Task 4.6 Yes that can be used but I think using "crypto isakmo identity dn" is a good practice as "peer-id validate" removes the validation. Yusuf practice labs also uses "crypto isakmo identity dn" With regards Kings On Tue, Aug 24, 2010 at 10:58 AM, Yogesh Gawankar <[email protected]> wrote: I think he should also be made aware of the infamous peer-id validate option on the ASA :) Thanks and regards Yogesh Gawankar --- On Tue, 8/24/10, Kingsley Charles <[email protected]> wrote: From: Kingsley Charles <[email protected]> Subject: Re: [OSL | CCIE_Security] Vol 1 Task 4.6 To: "Johan Bornman" <[email protected]> Cc: "Yogesh Gawankar" <[email protected]>, "OSL Security" <[email protected]> Date: Tuesday, August 24, 2010, 2:58 PM The task won't hint us. We need to be aware off when to use it. Both ASA and VPN client, strictly validate the cert and hence when you have L2L between ASA and IOS or connect VPN client to ASA or IOS server, then you need to have it configured. With regards Kings On Tue, Aug 24, 2010 at 10:24 AM, Johan Bornman <[email protected] <http://us.mc581.mail.yahoo.com/mc/[email protected]> > wrote: Thanks, Kings. Is the command compulsory when the VPN client or an ASA is involved? How will the task read in any other scenario where the VPN client/ASA is not involved? From: Kingsley Charles [mailto:[email protected] <http://us.mc581.mail.yahoo.com/mc/[email protected]> ] Sent: 24 August 2010 06:45 AM To: Yogesh Gawankar Cc: OSL Security; Johan Bornman Subject: Re: [OSL | CCIE_Security] Vol 1 Task 4.6 This command sends the complete subject name in your cert. Very important command when you use digital certs that too when you the have VPN client or ASA on one of the remote peers. With regards Kings On Tue, Aug 24, 2010 at 6:54 AM, Yogesh Gawankar <[email protected] <http://us.mc581.mail.yahoo.com/mc/[email protected]> > wrote: If am not mistaken this command sends the certificate as the IKE ID so as to prevent PKI from breaking. I dont know what the question says but I am guessing it asks for rsa signatures as authentication methid (maybe L2L with certficates).You can use any IKE id as long as it appears in the certificate. Cheers Yogesh Gawankar --- On Tue, 8/24/10, Johan Bornman <[email protected] <http://us.mc581.mail.yahoo.com/mc/[email protected]> > wrote: From: Johan Bornman <[email protected] <http://us.mc581.mail.yahoo.com/mc/[email protected]> > Subject: [OSL | CCIE_Security] Vol 1 Task 4.6 To: "'OSL Security'" <[email protected] <http://us.mc581.mail.yahoo.com/mc/compose?to=ccie_secur...@onlinestudylist. com> > Date: Tuesday, August 24, 2010, 4:56 AM Why this command in the solution and what in the task asks for it? crypto isakmp identity dn -----Inline Attachment Follows----- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
