Guys, It is not so much of an issue on ASA, because by default ASA uses DN as IKE_ID when certificates are used for IKE Phase I authentication. Keep this command in mind when working with IOS, though.
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Sun, Feb 28, 2010 at 7:25 PM, Brian Schultz <[email protected]> wrote: > Thank you Kings! I had 'crypto isakmp identity address' on the ASA. Works > perfectly now! > > Regards, > Brian > > On Sun, Feb 28, 2010 at 12:19 PM, Kingsley Charles < > [email protected]> wrote: > >> >> >> On Sun, Feb 28, 2010 at 11:49 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> 82 11:41:00.781 02/28/10 Sev=Warning/3 IKE/0xE3000081 >>> Invalid remote certificate id: ID_IPV4_ADDR: ID = 0x0A020908, >>> Certificate = 0x00000000 >>> 83 11:41:00.781 02/28/10 Sev=Warning/3 IKE/0xE3000059 >>> The peer's certificate doesn't match Phase 1 ID >>> 84 11:41:00.781 02/28/10 Sev=Warning/2 IKE/0xE30000A7 >>> Unexpected SW error occurred while processing Identity Protection (Main >>> Mode) negotiator:(Navigator:2263) >>> >>> Check out the debugs. >>> >>> The VPN client, expects the IKE ID to be present in certificate. In the >>> client, we don't have an option disable the peer validating check as we do >>> on ASA. >>> >>> So we need to ensure that "crypto isakmp indentity dn" is configured on >>> the ASA. This will send all the information is the subject and will match >>> the IKE ID. >>> >>> If you don't enable "crypto isakmp indentity dn", it will send the >>> hostname and will not mtach the cert's subject and hence the validation >>> fails. >>> >>> >>> >>> With regards >>> Kings >>> >>> On Sun, Feb 28, 2010 at 11:40 PM, Jimmy Larsson >>> <[email protected]>wrote: >>> >>>> It looks almost the same as I posted here about last week. I guess >>>> it has something to do with username. The CN in the cert is ASA1 but >>>> further >>>> down it saids "Username = IP ExperT". >>>> >>>> Just a guess. Anyone else? >>>> >>>> /J >>>> >>>> >>>> >>>> >>>> -- >>>> ------- >>>> Jimmy Larsson >>>> Ryavagen 173 >>>> s-26030 Vallakra >>>> Sweden >>>> http://blogg.kvistofta.nu >>>> ------- >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
