Hi,
I came across the configuration of L2L vpn between ASA and router.
Process that ASA authenticate IKE base on FQDN of the router and land ot on
tunnel-group is pretty straiht forward.
However, how router authenticate IKE phase 1 base on ASA's FQDN (IKE ID)?
or certificate OU ?
I already put
crypto isakmp identity hostname
crypto isa profile 1
match identity hostname ASA.cisco.com
crypto map VPN isakmp-profile 1
but still see router authenticate sa base on ip:
Mar 20 14:14:01.939: ISAKMP:(1019): processing ID payload. message ID = 0
Mar 20 14:14:01.943: ISAKMP (0:1019): ID payload
next-payload : 6
type : 2
FQDN name : ASAl.cisco.com
protocol : 0
port : 0
length : 29
Mar 20 14:14:01.947: ISAKMP:(0):: peer matches ASA.cisco.com profile
Mar 20 14:14:01.951: ISAKMP:(1019): processing CERT payload.
Rack1R2# message ID = 0
Mar 20 14:14:01.955: ISAKMP:(1019): processing a CT_X509_SIGNATURE cert
Mar 20 14:14:02.111: ISAKMP:(1019): peer's pubkey isn't cached
Mar 20 14:14:02.455: ISAKMP:(1019): Unable to get DN from certificate!
Mar 20 14:14:02.459: ISAKMP:(1019): Cert presented by peer contains no OU
field.
Mar 20 14:14:02.475: ISAKMP:(1019): processing SIG payload. message ID = 0
Mar 20 14:14:02.515: ISAKMP:received payload type 17
Mar 20 14:14:02.519: ISAKMP:(1019): processing vendor id payload
Mar 20 14:14:02.519: ISAKMP:(1019): vendor ID is DPD
Mar 20 14:14:02.523: ISAKMP:(1019):*SA authentication status:*
* authenticated*
*Mar 20 14:14:02.527: ISAKMP:(1019):SA has been authenticated with
150.0.29.9*
Mar 20 14:14:02.531: ISAKMP:(1019):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MOD
How can I make the router authenticate the sa base on hostname rather that
IP address of ASA?
Cheers
Jeremy
Blogs and organic groups at http://www.ccie.net
Received on Sat Mar 20 2010 - 14:03:16 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART