Hi all.
I have a L2L VPN between a directly connected ASA and an IOS Router using
rsa-sig for authentication. The VPN tunnel comes up fine everytime
interesting traffic is sent across. The issue I'm having is with my
certificate map, as configured below:
crypto pki certificate map WENDALCERT 10
issuer-name co juniper
subject-name co router99
When I tie this to the crypto map on the IOS Router, the VPN tunnel still
comes up every time interesting traffic is sent across, even though I would
expect it not to, since the issuer-name and subject-name defined in the
certificate map does not match at all.
Can someone show me what I'm doing wrong ? Here is the related config and a
couple of show output from both peers, and from the CA Server which is
another router placed behind the ASA.
R1 - the IOS CA server and NTP server (10.1.1.1)
R1#show crypto pki ser
Certificate Server WENDAL:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=R1
CA cert fingerprint: 02F6AB7F B8C3473F 35CCE4D9 E9FBD779
Granting mode is: auto
Last certificate issued serial number (hex): 3
CA certificate expiration timer: 03:10:48 UTC Dec 3 2010
CRL NextUpdate timer: 09:10:57 UTC Dec 2 2010
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
R1#show crypto ca certi
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=R1
Subject:
cn=R1
Validity Date:
start date: 03:10:48 UTC Dec 2 2010
end date: 03:10:48 UTC Dec 3 2010
Associated Trustpoints: WENDAL
Storage: nvram:R1#2CA.cer
***
ASA
- 10.3.3.13 (outside) and 10.1.1.3 (inside)
ntp server 10.1.1.1
crypto pki trustpoint WENDAL
enrollment url http://10.1.1.1:80
revocation-check none
access-list VPN permit ip 10.1.12.0 255.255.255.0 10.100.3.0 255.255.255.0
crypto isakmp policy 10
authen rsa-sig
encry 3des
hash sha
group 2
crypto isakmp enable outside
crypto ipsec trans VPN esp-3des esp-sha-hmac
crypto map VPN 10 match address VPN
crypto map VPN 10 set peer 10.99.99.3
crypto map VPN 10 set transform-set VPN
crypto map VPN interface outside
tunnel-group 10.99.99.3 type ipsec-l2l
tunnel-group 10.99.99.3 ipsec-attributes
trust-point WENDAL
ASA# show crypto ca cert
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=R1
Subject Name:
hostname=ASA
Validity Date:
start date: 03:18:44 UTC Dec 2 2010
end date: 03:10:48 UTC Dec 3 2010
Associated Trustpoints: WENDAL
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=R1
Subject Name:
cn=R1
Validity Date:
start date: 03:10:48 UTC Dec 2 2010
end date: 03:10:48 UTC Dec 3 2010
Associated Trustpoints: WENDAL
***
Router R3
- Gi0/0 (10.3.3.3)
- Loopback0 (10.99.99.3)
- Loopback100 (10.100.3.3)
ntp server 10.1.1.1
crypto pki trustpoint WENDAL
enrollment url http://10.1.1.1:80
revocation-check none
ip access-list ext VPN
permit ip 10.100.3.0 0.0.0.255 10.1.12.0 0.0.0.255
crypto isakmp identity dn
crypto isakmp policy 10
authen rsa-sig
encry 3des
hash sha
group 2
crypto ipsec trans VPN esp-3des esp-sha-hmac
crypto map VPN local-address Loopback0
crypto map VPN isakmp-profile ISAPROF
crypto map VPN 10 ipsec-isakmp
set peer 10.3.3.13
set transform-set VPN
match address VPN
crypto pki certificate map WENDALCERT 10
issuer-name co juniper
subject-name co router99
crypto isakmp profile ISAPROF
ca trust-point WENDAL
match certificate WENDALCERT
inter gi 0/0
crypto map VPN
R3#ping 10.1.12.2 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
Packet sent with a source address of 10.100.3.3
.!!!!
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
