crypto isakmp profile TEST keyring TEST-KEY self-identity user-fqdn [email protected]
2011/1/19 Bruno <[email protected]> > Well, about this one, I have some difficult to understand too. > > Initially I thought it would be to match some info on the certificate until > I met certificate-map. Nowadays, I am not using it to nothing anymore > > On Wed, Jan 19, 2011 at 12:30 PM, Kingsley Charles < > [email protected]> wrote: > >> Hi Bruno >> >> There was a typo in previous mail. Actually I was looking for IPSec use >> case, where we match user-fqdn in ISAKMP profiles >> >> router(config)#crypto isakmp profile prof >> % A profile is deemed incomplete until it has match identity statements >> router(conf-isa-prof)#mat >> router(conf-isa-prof)#match ide >> router(conf-isa-prof)#match identity ? >> address IP Address(es) >> group Group name >> host match a hostname/domain >> user-fqdn match a username/domain >> >> >> With regards >> Kings >> >> >> On Wed, Jan 19, 2011 at 7:27 PM, Bruno <[email protected]> wrote: >> >>> Hi Kingsley, >>> >>> What I think is as per RFC 4306, it is used when: >>> >>> ID_FQDN 2 >>> >>> A fully-qualified domain name string. An example of aID_FQDN >>> is, "example.com". The string MUST not contain any terminators (e.g., >>> NULL, CR, etc.). >>> >>> So, when you want to match hostnames instead of IPs? I think one useful >>> case is when you have a remote l2l peer with dynamic IP address. On our >>> side the trick is how to configure the keys. You could configure: >>> >>> crypto isa key XXX address 0.0.0.0 >>> >>> That`s is not a best option. The second way is to match remote's peer >>> hostname instead. The configuration would be: >>> >>> cry isa key XXX host remotepeer.test.com >>> >>> In this way, whatever ip address it comes to us, we will be able to >>> validate it. There must be best cases to use it though >>> >>> Hope it helps >>> >>> >>> On Wed, Jan 19, 2011 at 5:57 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Hi all >>>> >>>> The hostname option matches when the IKE Identity type is >>>> "ID_USER_FQDN". It's not striking me now, in which IPSec case will I get >>>> type "ID_USER_FQDN". >>>> Please provide your inputs. >>>> >>>> router(config)#crypto isakmp identity ? >>>> address Use the IP address of the interface for the identity >>>> dn Use the distinguished name of the router cert for the >>>> identity >>>> hostname Use the hostname of the router for the identity >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
