Hey Guys,
Just wanted to throw this one out. Sometimes I got freaked out about my
certificate map not matching against what I am looking for on the Certificate
of the peer, for example:
7 23:06:51.734: ISAKMP:(4003): processing ID payload. message ID = 0
Jul 7 23:06:51.734: ISAKMP (0:4003): ID payload
next-payload : 6
type : 9
Dist. name : hostname=ASA2
protocol : 0
port : 0
length : 31
Jul 7 23:06:51.734: ISAKMP:(0):: UNITY's identity FQDN but no group info
Jul 7 23:06:51.734: ISAKMP:(0):: peer matches *none* of the profiles
Jul 7 23:06:51.734: ISAKMP:(4003): processing CERT payload. message ID = 0
Jul 7 23:06:51.734: ISAKMP:(4003): processing a CT_X509_SIGNATURE cert
Jul 7 23:06:51.738: ISAKMP:(4003): peer's pubkey is cached
Jul 7 23:06:51.738: ISAKMP:(4003): Unable to get DN from certificate!
Jul 7 23:06:51.738: ISAKMP:(4003): Cert presented by peer contains no OU field.
But later on, you see that it continues looking into the Certificate payload
and then:
Jul 7 23:06:51.742: ISAKMP:(0): certificate map matches L2L profile
Jul 7 23:06:51.742: ISAKMP:(0): Trying to re-validate CERT using new profile
Jul 7 23:06:51.742: ISAKMP:(0): CERT validity confirmed.
Jul 7 23:06:51.742: ISAKMP:(4003):Profile has no keyring, aborting key search
Jul 7 23:06:51.742: ISAKMP:(4003): processing SIG payload. message ID = 0
Jul 7 23:06:51.746: ISAKMP:received payload type 17
Jul 7 23:06:51.746: ISAKMP:(4003): processing vendor id payload
Jul 7 23:06:51.746: ISAKMP:(4003): vendor ID is DPD
Jul 7 23:06:51.746: ISAKMP:(4003):SA authentication status:
Mainly it tries to match it against "known fields" following the procedure,
then it checks for the certificate map.
Annnyyway... just wanted to throw it out in case someone freaks out as well.
Mike Rojas
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
