Dear Experts,
I have got one enquiry pertaining to L2L VPN with RSA signatures:
I have 1 Router R3/One ASA running a L2L VPN. Both devices get their
certificates perfectly fine. I need to clarify a couple of issues:
1)For the ASA to be able to know which tunnel group the connection lands on
it checks:
A)OU in the certificate
B)IKE ID
C)IP Address of the peer: which in my case as the tunnel-group is pointing
to a remote peer solves this issue.
2) Unable to compare IKE ID against peer cert Subject Alt Name (Error
Message I got on ASA): As far as I understand the IKE ID of R3 by default
will be its IP Address and is not mentioned in the Certificate that the ASA
receives and checks. The IKE ID must match the subject name in the
certificate presented which is not the case in my example. Thus I need to
tune the IKE ID to be the dn (distinguished name). However in the WB it
states that the IKE ID will automatically be the hostname (presented in the
certificate) however in my example I don't see this?
R3's certificate:
Certificate
Status: Available
Certificate Serial Number: 0x2
Certificate Usage: General Purpose
Issuer:
cn=R2
Subject:
Name: Rack1R3.INE.com
hostname=Rack1R3.INE.com
Validity Date:
start date: 10:06:46 UTC Oct 3 2010
end date: 10:06:46 UTC Oct 3 2011
Associated Trustpoints: R2
I would appreciate your help. Please can someone provide a good document
about understanding certificate fields and how they work with IPSec VPN.
Thanks
On Sun, Oct 3, 2010 at 8:22 PM, Keith Barker <kbarker_at_ine.com> wrote:
> I am not sure of the status of all the MS CA servers on all the racks.
> That is a variable I am not sure of.
>
> In the real lab, you will very likely use only IOS CA servers, and not MS
> CA servers.
>
> In the INE labs, I would recommend cutting out the MS CA servers and using
> the IOS CA.
>
> Keith H. Barker, CCIE #6783
> Instructor
> kbarker_at_ine.com
> Internetwork Expert, Inc.
> http://ine.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
> On Oct 3, 2010, at 10:05 AM, karim jamali wrote:
>
> Thanks a lot Keith..Keith am I doing something wrong or is there anything I
> should configure on the server because this is the 2nd time I try & can't
> get a certificate for my router.
>
> Thanks:)
>
> On Sun, Oct 3, 2010 at 7:57 PM, Keith Barker <kbarker_at_ine.com> wrote:
>
>> KJ
>>
>> Set up a router as a CA server and use that instead of the MS CA, and move
>> on.
>>
>> Best wishes,
>>
>> Keith H. Barker, CCIE #6783
>>
>>
>> > Dear Experts,
>> >
>> > I am working on one of INE's security labs and finding one problem. I
>> can't
>> > seem to get a certificate from the CA. Note that I can authenticate the
>> CA
>> > (Get the self signed certificate by the CA) however I can't seem to get
>> a
>> > certificate for my router. I would appreciate any help!
>> >
>> > crypto pki trustpoint IE1
>> > enrollment mode ra
>> > enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
>> > revocation-check none
>> >
>> > crypto ca authenticate IE1
>> > crypto ca enroll IE1
>> > %
>> > % Start certificate enrollment ..
>> > % Create a challenge password. You will need to verbally provide this
>> > password to the CA Administrator in order to revoke your certificate.
>> > For security reasons your password will not be saved in the
>> > configuration.
>> > Please make a note of it.
>> >
>> > Password:
>> > Re-enter password:
>> >
>> > % The subject name in the certificate will include: Rack1R3.INE.com
>> > % Include the router serial number in the subject name? [yes/no]: no
>> > % Include an IP address in the subject name? [no]: no
>> > Request certificate from CA? [yes/no]: yes
>> > % Certificate request sent to Certificate Authority
>> > % The 'show crypto ca certificate IE1 verbose' commandwill show the
>> > fingerprint.
>> >
>> > Rack1R3(config)#
>> > Oct 4 02:47:10.544: CRYPTO_PKI: Certificate Request Fingerprint MD5:
>> > 3C3390BC 5925C2A0 1C0C91C1 F1C2C4F1
>> > Oct 4 02:47:10.548: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
>> > 8DDD24A6 2CE019B6 23E58683 E192D8DD DBB12BE5
>> > Rack1R3(config)#^Z
>> > Rack1R3#
>> > Oct 4 02:47:14.679: %SYS-5-CONFIG_I: Configured from console by console
>> >
>> > Rack1R3#show crypto ca certificates
>> > CA Certificate
>> > Status: Available
>> > Certificate Serial Number: 0x122272C6E4466092444CBC4709E79763
>> > Certificate Usage: Signature
>> > Issuer:
>> > cn=sc06-aaa
>> > ou=CCIE
>> > o=INE
>> > l=Reno
>> > st=NV
>> > c=US
>> > e=support_at_ine.com
>> > Subject:
>> > cn=sc06-aaa
>> > ou=CCIE
>> > o=INE
>> > l=Reno
>> > st=NV
>> > c=US
>> > e=support_at_ine.com
>> > CRL Distribution Points:
>> > http://sc06-aaa/CertEnroll/sc06-aaa.crl
>> > Validity Date:
>> > start date: 00:18:38 UTC Jun 11 2010
>> > end date: 00:28:20 UTC Jun 11 2020
>> > Associated Trustpoints: IE
>> >
>> > Would appreciate any help:) Thanks
>> >
>> > --
>> > KJ
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>
>
> --
> KJ
>
>
>
-- KJ Blogs and organic groups at http://www.ccie.netReceived on Sun Oct 03 2010 - 20:55:59 ART
This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART