Well, about this one, I have some difficult to understand too. Initially I thought it would be to match some info on the certificate until I met certificate-map. Nowadays, I am not using it to nothing anymore
On Wed, Jan 19, 2011 at 12:30 PM, Kingsley Charles < [email protected]> wrote: > Hi Bruno > > There was a typo in previous mail. Actually I was looking for IPSec use > case, where we match user-fqdn in ISAKMP profiles > > router(config)#crypto isakmp profile prof > % A profile is deemed incomplete until it has match identity statements > router(conf-isa-prof)#mat > router(conf-isa-prof)#match ide > router(conf-isa-prof)#match identity ? > address IP Address(es) > group Group name > host match a hostname/domain > user-fqdn match a username/domain > > > With regards > Kings > > > On Wed, Jan 19, 2011 at 7:27 PM, Bruno <[email protected]> wrote: > >> Hi Kingsley, >> >> What I think is as per RFC 4306, it is used when: >> >> ID_FQDN 2 >> >> A fully-qualified domain name string. An example of aID_FQDN >> is, "example.com". The string MUST not contain any terminators (e.g., NULL, >> CR, etc.). >> >> So, when you want to match hostnames instead of IPs? I think one useful case >> is when you have a remote l2l peer with dynamic IP address. On our side the >> trick is how to configure the keys. You could configure: >> >> crypto isa key XXX address 0.0.0.0 >> >> That`s is not a best option. The second way is to match remote's peer >> hostname instead. The configuration would be: >> >> cry isa key XXX host remotepeer.test.com >> >> In this way, whatever ip address it comes to us, we will be able to validate >> it. There must be best cases to use it though >> >> Hope it helps >> >> >> On Wed, Jan 19, 2011 at 5:57 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi all >>> >>> The hostname option matches when the IKE Identity type is "ID_USER_FQDN". >>> It's not striking me now, in which IPSec case will I get type >>> "ID_USER_FQDN". >>> Please provide your inputs. >>> >>> router(config)#crypto isakmp identity ? >>> address Use the IP address of the interface for the identity >>> dn Use the distinguished name of the router cert for the >>> identity >>> hostname Use the hostname of the router for the identity >>> >>> >>> With regards >>> Kings >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
