The ASA checks for Cert's Alt subject name versus the hostname sent in the IKE ID. But there is known issue that IOS certs doesn't have Alt subject name and hence ASA rejects the cert from the IOS.
Either you configure IOS to use type dn or disable peer id validation under tunnel group. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Sep 3, 2012 at 8:21 PM, GuardGrid <[email protected]> wrote: > All, > > I wanted to confirm my understanding of this concept. > > It looks like when you configure cert based auth ASA with its default > setting of "crypto isakmp identity auto" will send the DN name of the cert > and as long as you have the "crypto isakmp identity dn" on the IOS the > tunnel works perfectly. > > If I change that to "crypto isakmp identity hostname" on both IOS and ASA > I keep getting the below on the debugs of the ASA > > > Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Trying to find group via OU... > Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, No Group found by matching OU(s) > from ID payload: Unknown > Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Trying to find group via IKE > ID... > *Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Connection landed on > tunnel_group R1.ipexpert.com* > *Sep 03 10:47:36 [IKEv1 DEBUG]: Group = R1.ipexpert.com, IP = 192.1.49.1, > peer ID type 2 received (FQDN)* > *Sep 03 10:47:36 [IKEv1]: Group = R1.ipexpert.com, IP = 192.1.49.1, > Unable to compare IKE ID against peer cert Subject Alt Name* > * > * > I have also tried using isakmp profiles and setting the self-identity to > fqdn instead of the global setting on the IOS but the same issue. Also > tried using the IP address on the tunnel group on the ASA and same errors. > > What am i missing here? > > Let me know if possible. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
