Re: Understanding Unable to compare IKE ID against peer cert from karim jamali on 2010-10-03 (Ccielab archives 10/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Sun, 3 Oct 2010 21:43:51 +0300

Dears,

Once again I face the same problem though this time I can't get the concept
behind the problem.

R3 is using the identity as the hostname. (Rack1R3.INE.com)
ASA1 is using also the identity as the hostname (Rack1ASA1.INE.com)
The tunnel-group is configured to be tunnel-group Rack1R3.INE.com and is
using the trustpoint R2 (where R2 is a CA Server).

I am still getting the same error on the ASA:
Unable to compare IKE ID against peer cert Subject Alt Name

However by the things I look at I see that R3 IKE ID is the hostname (FQDN)
and it matches the subject in the certificate:
R3's Certificate:
Certificate
  Status: Available
  Certificate Serial Number: 0x2
  Certificate Usage: General Purpose
  Issuer:
    cn=R2
  Subject:
    Name: Rack1R3.INE.com
    hostname=Rack1R3.INE.com
  Validity Date:
    start date: 10:06:46 UTC Oct 3 2010
    end date: 10:06:46 UTC Oct 3 2011
  Associated Trustpoints: R2

I hope someone can clarify this:)

On Sun, Oct 3, 2010 at 8:53 PM, Dhack Dheolu <dhackdheolu_at_gmail.com> wrote:

> Like Keith advised, use a router. But just to clear your doubts, you need
> to get a valid password generated by the MS server. Go to the following URL
> on the server: http://127.0.0.1/certsrv/mscep/mscep.dll and obtain a
> password from there and then use that password to enroll.
>
> Good luck.
>
> On Sun, Oct 3, 2010 at 5:57 PM, Keith Barker <kbarker_at_ine.com> wrote:
>
>> KJ
>>
>> Set up a router as a CA server and use that instead of the MS CA, and move
>> on.
>>
>> Best wishes,
>>
>> Keith H. Barker, CCIE #6783
>>
>>
>> > Dear Experts,
>> >
>> > I am working on one of INE's security labs and finding one problem. I
>> can't
>> > seem to get a certificate from the CA. Note that I can authenticate the
>> CA
>> > (Get the self signed certificate by the CA) however I can't seem to get
>> a
>> > certificate for my router. I would appreciate any help!
>> >
>> > crypto pki trustpoint IE1
>> > enrollment mode ra
>> > enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
>> > revocation-check none
>> >
>> > crypto ca authenticate IE1
>> > crypto ca enroll IE1
>> > %
>> > % Start certificate enrollment ..
>> > % Create a challenge password. You will need to verbally provide this
>> > password to the CA Administrator in order to revoke your certificate.
>> > For security reasons your password will not be saved in the
>> > configuration.
>> > Please make a note of it.
>> >
>> > Password:
>> > Re-enter password:
>> >
>> > % The subject name in the certificate will include: Rack1R3.INE.com
>> > % Include the router serial number in the subject name? [yes/no]: no
>> > % Include an IP address in the subject name? [no]: no
>> > Request certificate from CA? [yes/no]: yes
>> > % Certificate request sent to Certificate Authority
>> > % The 'show crypto ca certificate IE1 verbose' commandwill show the
>> > fingerprint.
>> >
>> > Rack1R3(config)#
>> > Oct 4 02:47:10.544: CRYPTO_PKI: Certificate Request Fingerprint MD5:
>> > 3C3390BC 5925C2A0 1C0C91C1 F1C2C4F1
>> > Oct 4 02:47:10.548: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
>> > 8DDD24A6 2CE019B6 23E58683 E192D8DD DBB12BE5
>> > Rack1R3(config)#^Z
>> > Rack1R3#
>> > Oct 4 02:47:14.679: %SYS-5-CONFIG_I: Configured from console by console
>> >
>> > Rack1R3#show crypto ca certificates
>> > CA Certificate
>> > Status: Available
>> > Certificate Serial Number: 0x122272C6E4466092444CBC4709E79763
>> > Certificate Usage: Signature
>> > Issuer:
>> > cn=sc06-aaa
>> > ou=CCIE
>> > o=INE
>> > l=Reno
>> > st=NV
>> > c=US
>> > e=support_at_ine.com
>> > Subject:
>> > cn=sc06-aaa
>> > ou=CCIE
>> > o=INE
>> > l=Reno
>> > st=NV
>> > c=US
>> > e=support_at_ine.com
>> > CRL Distribution Points:
>> > http://sc06-aaa/CertEnroll/sc06-aaa.crl
>> > Validity Date:
>> > start date: 00:18:38 UTC Jun 11 2010
>> > end date: 00:28:20 UTC Jun 11 2020
>> > Associated Trustpoints: IE
>> >
>> > Would appreciate any help:) Thanks
>> >
>> > --
>> > KJ
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Regards,
> Adeolu Owokade
> CCIE #26495 (Security)
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Sun Oct 03 2010 - 21:43:51 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART