All, I wanted to confirm my understanding of this concept.
It looks like when you configure cert based auth ASA with its default setting of "crypto isakmp identity auto" will send the DN name of the cert and as long as you have the "crypto isakmp identity dn" on the IOS the tunnel works perfectly. If I change that to "crypto isakmp identity hostname" on both IOS and ASA I keep getting the below on the debugs of the ASA Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Trying to find group via OU... Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, No Group found by matching OU(s) from ID payload: Unknown Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Trying to find group via IKE ID... *Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Connection landed on tunnel_group R1.ipexpert.com* *Sep 03 10:47:36 [IKEv1 DEBUG]: Group = R1.ipexpert.com, IP = 192.1.49.1, peer ID type 2 received (FQDN)* *Sep 03 10:47:36 [IKEv1]: Group = R1.ipexpert.com, IP = 192.1.49.1, Unable to compare IKE ID against peer cert Subject Alt Name* * * I have also tried using isakmp profiles and setting the self-identity to fqdn instead of the global setting on the IOS but the same issue. Also tried using the IP address on the tunnel group on the ASA and same errors. What am i missing here? Let me know if possible.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
