I think I have read every possible thing I can about this on the internet but am still confused. Forgive me if this has been discussed to death previously.
When we build L2L IPSEC between a router and ASA with RSA signature authentication it will often fail because the ASA cannot validate the IKE ID sent by the IOS router against the subject alternative name field in the IOS router digital cert. This is often because the subject alternate name field is not inserted into a cert issued by IOS CA and thus does not exist. One way to get around this is to change the IKE ID sent by the IOS router to the cert DN using "crypto isakmp identity dn" I get that...so we are sending the DN as the IKE ID instead of the default hostname. How does that effect what field in the cert the ASA checks though? I mean regardless of what I send in the IKE ID it seems the ASA is still going to compare whatever is sent with the subject alternative name in the certificate which STILL doesn't exist. Nothing I put in the IKE ID should change the fact that the subject alt name field is still empty. That is not what happens though as changing the IKE ID to DN solves the problem. I can only conclude that when we send DN as the IKE ID the ASA either does not check the subject alternate name field against the IKE ID but instead checks something else like the DN. When we set the IKE ID to DN does the ASA magically compare that to some other field in the certificate instead of subject alt name? I get that this fixes the problem I just don't fully get why. The other fix is to disable "peer-id-validate" on the ASA or set it to "peer-id-validate cert" as opposed to the default "req" option. The first option makes sense -- disable the check. The second doesn't. >From what I understand the cert option uses digital certificates if available and if not allows the tunnel group to fall back to PSK (Richard Deal). I don't get at all how that makes the ASA either not check the subject alt name at all or check some other field in the certificate instead against the IKE ID from the router Any help is appreciated guys -- Sent from my mobile device Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
