Mark, when you enable the debugs, on which tunnel group is the request landing. It might be landing on the default tunnel group.
With regards Kings On Mon, Nov 8, 2010 at 8:45 AM, Mark Senteza <[email protected]>wrote: > Hey all, > > I've got a L2L VPN set up between an ASA and a Router (R3), using rsa-sig > authentication. My tunnel comes up fine, using rsa-sig and traffic between > 136.1.121.0/24 (behind ASA) and 136.1.23.0/24 (behind R3) is protected. > > On the ASA I've tried to test the certificate map & tunnel-group-map > feature but my tunnel still comes up when I expect my entries in the > certificate map will filter the peer and prevent the tunnel from coming up. > And I can ping between the two protected subnets. > > Here are my related configurations. > > On the ASA: > > tunnel-group 136.1.123.3 type ipsec-l2l > tunnel-group 136.1.123.3 ipsec-attributes > trust-point IOSCA > > tunnel-group-map enable rules > tunnel-group-map CERT-MAP 10 136.1.123.3 > > These are the 3 different options I have tried with the certificate map > configuration, but none works: > > crypto ca certificate map CERT-MAP 10 > subject-name attr cn co ccie.net > > crypto ca certificate map CERT-MAP 10 > subject-name co ccie.net > > crypto ca certificate map CERT-MAP 10 > issuer-name eq IOS > > Can anyone point out where in my configuration I need to look to fix the > error. Am I getting the syntax wrong? How come my tunnel keeps coming up > when the certificate map has entries that dont match what's in the peer's > certificate. > > Here are the certificates from both peers too: > > From Router R3 > > R3#show crypto ca certif > Certificate > Status: Available > Certificate Serial Number (hex): 03 > Certificate Usage: General Purpose > Issuer: > cn=IOSCA > Subject: > Name: R3.ccie.com <http://r3.ccie.com/> > hostname=R3.ccie.com <http://r3.ccie.com/> > Validity Date: > start date: 12:59:36 PST Nov 2 2010 > end date: 12:52:18 PST Nov 12 2010 > Associated Trustpoints: IOSCA > Storage: nvram:IOSCA#3.cer > > CA Certificate > Status: Available > Certificate Serial Number (hex): 01 > Certificate Usage: Signature > Issuer: > cn=IOSCA > Subject: > cn=IOSCA > Validity Date: > start date: 12:52:18 PST Nov 2 2010 > end date: 12:52:18 PST Nov 12 2010 > Associated Trustpoints: IOSCA > Storage: nvram:IOSCA#1CA.cer > > R3# > > > > From the ASA: > > ASA1# sh crypto ca certif > CA Certificate > Status: Available > Certificate Serial Number: 01 > Certificate Usage: Signature > Public Key Type: RSA (1024 bits) > Issuer Name: > cn=IOSCA > Subject Name: > cn=IOSCA > Validity Date: > start date: 12:52:18 PST Nov 2 2010 > end date: 12:52:18 PST Nov 12 2010 > Associated Trustpoints: IOSCA > > Certificate > Status: Available > Certificate Serial Number: 04 > Certificate Usage: General Purpose > Public Key Type: RSA (1024 bits) > Issuer Name: > cn=IOSCA > Subject Name: > hostname=ASA1.ccie.com <http://asa1.ccie.com/> > Validity Date: > start date: 15:59:49 PST Nov 2 2010 > end date: 12:52:18 PST Nov 12 2010 > Associated Trustpoints: IOSCA > > > > Greatly appreciate the help > Mark > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
