Hey, It was L2L to IOS, the tunnel group was with the IP address but it had to land there based on certificate maps, it only creeped me out that first "none of the profiles" but that is one of the first checks that it does, later on it matches the certificate map and it lands to the correct tunnel group.
Mike Rojas Security Technical Lead From: [email protected] To: [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] Certificate maps, Date: Sun, 8 Jul 2012 18:31:09 +0000 Hi Mike, Is it ASA to ASA lan2lan tunnel ? What’s the tunnel-group name ? Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Saturday, July 07, 2012 4:12 PM To: [email protected] Subject: [OSL | CCIE_Security] Certificate maps, Hey Guys, Just wanted to throw this one out. Sometimes I got freaked out about my certificate map not matching against what I am looking for on the Certificate of the peer, for example: 7 23:06:51.734: ISAKMP:(4003): processing ID payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP (0:4003): ID payload next-payload : 6 type : 9 Dist. name : hostname=ASA2 protocol : 0 port : 0 length : 31 Jul 7 23:06:51.734: ISAKMP:(0):: UNITY's identity FQDN but no group info Jul 7 23:06:51.734: ISAKMP:(0):: peer matches *none* of the profiles Jul 7 23:06:51.734: ISAKMP:(4003): processing CERT payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP:(4003): processing a CT_X509_SIGNATURE cert Jul 7 23:06:51.738: ISAKMP:(4003): peer's pubkey is cached Jul 7 23:06:51.738: ISAKMP:(4003): Unable to get DN from certificate! Jul 7 23:06:51.738: ISAKMP:(4003): Cert presented by peer contains no OU field. But later on, you see that it continues looking into the Certificate payload and then: Jul 7 23:06:51.742: ISAKMP:(0): certificate map matches L2L profile Jul 7 23:06:51.742: ISAKMP:(0): Trying to re-validate CERT using new profile Jul 7 23:06:51.742: ISAKMP:(0): CERT validity confirmed. Jul 7 23:06:51.742: ISAKMP:(4003):Profile has no keyring, aborting key search Jul 7 23:06:51.742: ISAKMP:(4003): processing SIG payload. message ID = 0 Jul 7 23:06:51.746: ISAKMP:received payload type 17 Jul 7 23:06:51.746: ISAKMP:(4003): processing vendor id payload Jul 7 23:06:51.746: ISAKMP:(4003): vendor ID is DPD Jul 7 23:06:51.746: ISAKMP:(4003):SA authentication status: Mainly it tries to match it against "known fields" following the procedure, then it checks for the certificate map. Annnyyway... just wanted to throw it out in case someone freaks out as well. Mike Rojas
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
