So it looks like ASA will by default try to compare the IKE ID with the Subject Alt name, which is not present i guess. After enabling "peer-id validate cert" under the tunnel group I do not see that error and it was not clear from the debugs but I am assuming that it now compares with the fqdn presented by R1.
So, either set the crypto isakmp identity dn on the IOS and tunnel group set as IP. or set identity hostname on both ends and set peer-id validate to cert under the tunnel group does that make sense? On Mon, Sep 3, 2012 at 10:51 AM, GuardGrid <[email protected]> wrote: > All, > > I wanted to confirm my understanding of this concept. > > It looks like when you configure cert based auth ASA with its default > setting of "crypto isakmp identity auto" will send the DN name of the cert > and as long as you have the "crypto isakmp identity dn" on the IOS the > tunnel works perfectly. > > If I change that to "crypto isakmp identity hostname" on both IOS and ASA > I keep getting the below on the debugs of the ASA > > > Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Trying to find group via OU... > Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, No Group found by matching OU(s) > from ID payload: Unknown > Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Trying to find group via IKE > ID... > *Sep 03 10:47:36 [IKEv1]: IP = 192.1.49.1, Connection landed on > tunnel_group R1.ipexpert.com* > *Sep 03 10:47:36 [IKEv1 DEBUG]: Group = R1.ipexpert.com, IP = 192.1.49.1, > peer ID type 2 received (FQDN)* > *Sep 03 10:47:36 [IKEv1]: Group = R1.ipexpert.com, IP = 192.1.49.1, > Unable to compare IKE ID against peer cert Subject Alt Name* > * > * > I have also tried using isakmp profiles and setting the self-identity to > fqdn instead of the global setting on the IOS but the same issue. Also > tried using the IP address on the tunnel group on the ASA and same errors. > > What am i missing here? > > Let me know if possible. >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
