I think it has to do with the order the ASA processes the incoming IPSec connection. AFAIK it first matches the tunnel-group name based on the peer IKE ID. It may be the peer IP address, hostname or even a group name (in case of EzVPN) Then goes OU field matching if the ISAKMP is configured for certificate based authentication OR you may match on any field with your certificate map. And finally it falls back to the remote host IP address which is a last resort method and it is the only way to match the identity with PSK.
So, when you see "peer matches *none* of the profiles" it is a way to say that the peer IKE ID was not matched to any known to your ASA connection profiles/tunnel-groups From: Mike Rojas [mailto:[email protected]] Sent: Sunday, July 08, 2012 11:37 AM To: Eugene Pefti; [email protected] Subject: RE: [OSL | CCIE_Security] Certificate maps, Hey, It was L2L to IOS, the tunnel group was with the IP address but it had to land there based on certificate maps, it only creeped me out that first "none of the profiles" but that is one of the first checks that it does, later on it matches the certificate map and it lands to the correct tunnel group. Mike Rojas Security Technical Lead ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] Certificate maps, Date: Sun, 8 Jul 2012 18:31:09 +0000 Hi Mike, Is it ASA to ASA lan2lan tunnel ? What's the tunnel-group name ? Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Saturday, July 07, 2012 4:12 PM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] Certificate maps, Hey Guys, Just wanted to throw this one out. Sometimes I got freaked out about my certificate map not matching against what I am looking for on the Certificate of the peer, for example: 7 23:06:51.734: ISAKMP:(4003): processing ID payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP (0:4003): ID payload next-payload : 6 type : 9 Dist. name : hostname=ASA2 protocol : 0 port : 0 length : 31 Jul 7 23:06:51.734: ISAKMP:(0):: UNITY's identity FQDN but no group info Jul 7 23:06:51.734: ISAKMP:(0):: peer matches *none* of the profiles Jul 7 23:06:51.734: ISAKMP:(4003): processing CERT payload. message ID = 0 Jul 7 23:06:51.734: ISAKMP:(4003): processing a CT_X509_SIGNATURE cert Jul 7 23:06:51.738: ISAKMP:(4003): peer's pubkey is cached Jul 7 23:06:51.738: ISAKMP:(4003): Unable to get DN from certificate! Jul 7 23:06:51.738: ISAKMP:(4003): Cert presented by peer contains no OU field. But later on, you see that it continues looking into the Certificate payload and then: Jul 7 23:06:51.742: ISAKMP:(0): certificate map matches L2L profile Jul 7 23:06:51.742: ISAKMP:(0): Trying to re-validate CERT using new profile Jul 7 23:06:51.742: ISAKMP:(0): CERT validity confirmed. Jul 7 23:06:51.742: ISAKMP:(4003):Profile has no keyring, aborting key search Jul 7 23:06:51.742: ISAKMP:(4003): processing SIG payload. message ID = 0 Jul 7 23:06:51.746: ISAKMP:received payload type 17 Jul 7 23:06:51.746: ISAKMP:(4003): processing vendor id payload Jul 7 23:06:51.746: ISAKMP:(4003): vendor ID is DPD Jul 7 23:06:51.746: ISAKMP:(4003):SA authentication status: Mainly it tries to match it against "known fields" following the procedure, then it checks for the certificate map. Annnyyway... just wanted to throw it out in case someone freaks out as well. Mike Rojas
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
