Hi, first things first, check your local RSA keys, especially if you are doing this on a GNS router as I have worked out the painful way that they are lost on reboot so you may need to recreate your RSA keys and re-enroll with your CA. I was doing some similiar Easy VPN work to what you are trying to do and when testing this for you got the same issues as you but was able to resolve them and get it working after I realised my GNS router had lost its local RSA keys associated with its cert after a reboot. Deleting the trustpoint, recreating the keys and then reconfiguring the trustpoint resolved the issue and it started working.
Additionally, it seems like you are missing the "client configuration group" command under the ISAKMP profile to apply the client group settings from a locally configured client group for connections that match the ISAKMP profile. I don't think there is any need to apply the "client pki authorization" command as this is used to extract a username for XAUTH from a certificate based on the field defined in the command "authorization username subjectname" under the trustpoint but you can still do XAUTH manually by entering the username and password via the client without these commands. Ben On Sun, Jul 22, 2012 at 7:03 AM, Eduardo De Los Cobos < [email protected]> wrote: > I think you should add the "crypto pki autjorization" to the isakmp > profile. > > Enviado desde mi iPhone > > El 21/07/2012, a las 15:21, GuardGrid <[email protected]> escribió: > > Actually i removed that and if you notice now just matching by identity > and I can see from the debugs that it is picking up the right profile. > > crypto isakmp profile ISAKMP_PROF > match identity group CCIE > > > Also, when I add OU=CCIE the IOS parser converts that and shows up as ou = > ccie on the sh run. > > On Sat, Jul 21, 2012 at 4:04 PM, Karthik sagar <[email protected]> wrote: > >> In your certificate map, the line 'subject-name co ou = ccie', can you >> try removing the spaces between 'ou = ccie'. I think the certificate >> matching is not happening correctly. Also, I am not sure if the matching is >> case insensitive. >> >> Regards, >> Karthik >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
