my profile | register | search | faq | forum home

» Security Internetworking Experts   » Security   » CCIE Security Lab Forum   » IPSec L-2-L Between ASA and IOS with PKI

UBBFriend: Email this page to someone!

Author Topic: IPSec L-2-L Between ASA and IOS with PKI NewAgeQuanta Specialist Member # 32102 Member Rated: posted May 25, 2012 08:37 PM                    Guys, One question has been bothering me. Well known issue is that if the IOS peer does not present its IKE identity as DN OR the ASA is set to peer-id-validate {cert|no-check} then the peering fails. My question is that how does the crypto isakmp profile fit in this with the self-identity command? I tried unsuccessfully to use the ISAKMP profile with self-identity fqdn set to CN of the certificate but the ASA kept giving the following error - Unable to compare IKE ID against peer cert Subject Alt Name Am I trying to use the wrong tool here? Are the two ways stated above the only ways to make this happen? (crypto isakmp identity or peer-id-validate) Thanks in advance, Nic Posts: 73 | From: US | Registered: Mar 2012  |  IP: Logged Kingsley Charles (CCSP, CCNP, CCIP) Brainiac Member # 29872 Member Rated: posted May 25, 2012 11:04 PM                    Did you associate that profile to the crypto map? Config please.... With regards Kings Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged NewAgeQuanta Specialist Member # 32102 Member Rated: posted May 26, 2012 03:15 AM                    Yes, the profile was applied to a crypto map entry. Nic Posts: 73 | From: US | Registered: Mar 2012  |  IP: Logged NewAgeQuanta Specialist Member # 32102 Member Rated: posted May 26, 2012 04:10 PM                    The relevant configs Directly connected ASA and R2 on 29.29.29.0/24 Both have the certificates R2 crypto pki trustpoint R1 enrollment url http://19.19.19.1:80 usage ike fqdn R2 subject-name CN=R2,OU=CISCO,C=US,L=Laurel revocation-check none ! crypto pki certificate map CERTMAP 10 subject-name co asa1 ! crypto isakmp policy 10 authentication rsa-sig encr aes group 5 ! crypto isakmp profile ISAKMP self-identity fqdn R2 ca trust-point R1 match certificate CERTMAP ! crypto ipsec transform-set TS esp-aes esp-sha-hmac ! crypto map CMAP_OUTSIDE isakmp-profile ISAKMP ! crypto map CMAP_OUTSIDE 10 ipsec-isakmp set peer 29.29.29.9 set transform-set TS set isakmp-profile ISAKMP match address CACL reverse-route static ! interface GigabitEthernet0/0 ip address 29.29.29.2 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto media-type sfp negotiation auto crypto map CMAP_OUTSIDE ASA 1 crypto ipsec transform-set TS esp-aes esp-sha-hmac ! crypto map CMAP_OUTSIDE 10 match address CACL crypto map CMAP_OUTSIDE 10 set peer 29.29.29.2 crypto map CMAP_OUTSIDE 10 set transform-set TS crypto map CMAP_OUTSIDE 10 set trustpoint R1 crypto map CMAP_OUTSIDE 10 set reverse-route crypto map CMAP_OUTSIDE interface outside ! crypto ca trustpoint R1 enrollment url http://19.19.19.1:80 subject-name CN=ASA1,OU=CISCO,C=US,L=Laurel serial-number crl configure ! crypto ca certificate map CERTMAP 10 subject-name co r2 ! crypto isakmp enable outside ! crypto isakmp policy 10 authentication rsa-sig encryption aes hash sha group 5 lifetime 86400 ! crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Posts: 73 | From: US | Registered: Mar 2012  |  IP: Logged NewAgeQuanta Specialist Member # 32102 Member Rated: posted May 26, 2012 04:12 PM                    One more question, What is the functional difference between these crypto map CMAP_OUTSIDE isakmp-profile ISAKMP Vs. crypto map CMAP_OUTSIDE 10 ipsec-isakmp set isakmp-profile ISAKMP All inputs appreciated. Nic Posts: 73 | From: US | Registered: Mar 2012  |  IP: Logged Kingsley Charles (CCSP, CCNP, CCIP) Brainiac Member # 29872 Member Rated: posted May 27, 2012 12:38 AM                    If you apply it globally, then it applies to all crypto map entries 1,2,3 etc... If under a crypto map, then it's only applicable for that. Even if you have define a hostname that will not work. The ASA tries to match SAN (Subject Alternative Name) which is not present in the cert. For some reason, IOS cert doesn't have a SAN. The SAN is present in X.509 V3 extension field of a cert. So always use dn type or disable the check on the ASA. With regards Kings Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged NewAgeQuanta Specialist Member # 32102 Member Rated: posted May 27, 2012 03:44 AM                    Thanks Kings, So since the DN option for IKE ID is available only globally and not inside an ISAKMP profile, that limits our options I guess. If I was to terminate multiple S-2-S tunnels on the IOS router, some PSK, some Cert based, then one option I can think of (pretending the lab says do not use the peer-id-validate cert) is using DN as the global IKE ID and tuning IKE ID to address for the PSK. I have not thought about real world implication of peer-id-validate cert/none but looking at this purely from a CCIE lab and it's restrictions perspective. Is there any other way of doing this that one can think of? Nic Posts: 73 | From: US | Registered: Mar 2012  |  IP: Logged Kingsley Charles (CCSP, CCNP, CCIP) Brainiac Member # 29872 Member Rated: posted May 27, 2012 09:55 AM                    When you have multiple VPNs with different auth types, use dn type globally and address type in the profile. With regards Kings Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged

All times are Eastern Time

Printer-friendly view of this topic

Hop To: Select a Forum: Category: Security -------------------- CCIE Security Lab Forum CCIE Security Written Forum I passed my CCIE Lab!!! Other Cisco Security Certification Category: Private Class Forum -------------------- 12/13/10 - 12/17/10 - CCIE Security Mock Lab Boot Camp

Contact Us | Security Internetworking Experts