Kings, thanks for pointing that out. I didnt pay attention to that, but I'll do that once I lab this up again. The configuration seems so basic that there's not too many options to look at to nail it down.
Mark On Sun, Nov 7, 2010 at 11:50 PM, Kingsley Charles < [email protected]> wrote: > Mark, when you enable the debugs, on which tunnel group is the request > landing. It might be landing on the default tunnel group. > > With regards > Kings > > On Mon, Nov 8, 2010 at 8:45 AM, Mark Senteza <[email protected]>wrote: > >> Hey all, >> >> I've got a L2L VPN set up between an ASA and a Router (R3), using rsa-sig >> authentication. My tunnel comes up fine, using rsa-sig and traffic between >> 136.1.121.0/24 (behind ASA) and 136.1.23.0/24 (behind R3) is protected. >> >> On the ASA I've tried to test the certificate map & tunnel-group-map >> feature but my tunnel still comes up when I expect my entries in the >> certificate map will filter the peer and prevent the tunnel from coming up. >> And I can ping between the two protected subnets. >> >> Here are my related configurations. >> >> On the ASA: >> >> tunnel-group 136.1.123.3 type ipsec-l2l >> tunnel-group 136.1.123.3 ipsec-attributes >> trust-point IOSCA >> >> tunnel-group-map enable rules >> tunnel-group-map CERT-MAP 10 136.1.123.3 >> >> These are the 3 different options I have tried with the certificate map >> configuration, but none works: >> >> crypto ca certificate map CERT-MAP 10 >> subject-name attr cn co ccie.net >> >> crypto ca certificate map CERT-MAP 10 >> subject-name co ccie.net >> >> crypto ca certificate map CERT-MAP 10 >> issuer-name eq IOS >> >> Can anyone point out where in my configuration I need to look to fix the >> error. Am I getting the syntax wrong? How come my tunnel keeps coming up >> when the certificate map has entries that dont match what's in the peer's >> certificate. >> >> Here are the certificates from both peers too: >> >> From Router R3 >> >> R3#show crypto ca certif >> Certificate >> Status: Available >> Certificate Serial Number (hex): 03 >> Certificate Usage: General Purpose >> Issuer: >> cn=IOSCA >> Subject: >> Name: R3.ccie.com <http://r3.ccie.com/> >> hostname=R3.ccie.com <http://r3.ccie.com/> >> Validity Date: >> start date: 12:59:36 PST Nov 2 2010 >> end date: 12:52:18 PST Nov 12 2010 >> Associated Trustpoints: IOSCA >> Storage: nvram:IOSCA#3.cer >> >> CA Certificate >> Status: Available >> Certificate Serial Number (hex): 01 >> Certificate Usage: Signature >> Issuer: >> cn=IOSCA >> Subject: >> cn=IOSCA >> Validity Date: >> start date: 12:52:18 PST Nov 2 2010 >> end date: 12:52:18 PST Nov 12 2010 >> Associated Trustpoints: IOSCA >> Storage: nvram:IOSCA#1CA.cer >> >> R3# >> >> >> >> From the ASA: >> >> ASA1# sh crypto ca certif >> CA Certificate >> Status: Available >> Certificate Serial Number: 01 >> Certificate Usage: Signature >> Public Key Type: RSA (1024 bits) >> Issuer Name: >> cn=IOSCA >> Subject Name: >> cn=IOSCA >> Validity Date: >> start date: 12:52:18 PST Nov 2 2010 >> end date: 12:52:18 PST Nov 12 2010 >> Associated Trustpoints: IOSCA >> >> Certificate >> Status: Available >> Certificate Serial Number: 04 >> Certificate Usage: General Purpose >> Public Key Type: RSA (1024 bits) >> Issuer Name: >> cn=IOSCA >> Subject Name: >> hostname=ASA1.ccie.com <http://asa1.ccie.com/> >> Validity Date: >> start date: 15:59:49 PST Nov 2 2010 >> end date: 12:52:18 PST Nov 12 2010 >> Associated Trustpoints: IOSCA >> >> >> >> Greatly appreciate the help >> Mark >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
