Site-to-Site VPN using PKI (CCIE Notes)


Points to remember;

1) peer-id-validate

  • Either disable this under tunnel-group (nocheck).

OR

  • Send correct identity information from peers (crypto isakmp identity dn)

2) Using trustpoint

  • In ASA, Trustpoint needs to be referred under crypto map and tunnel-group
  • In IOS, Trustpoint does not need to be referred under any configuration commands.

3) Defining the Peer IP

  • In ASA, the peer IP needs to be specified under the crypto map as well as in the tunnel-group.
  • In IOS, for main-mode no crypto isakmp peer needs to be specified. Just the crypto map set peer command is enough for the tunnel to establish.
  • In IOS, for Aggressive Mode, crypto isakmp peer needs to be specified.

 Debug (Initiator);

Jun 29 22:32:59 [IKEv1 DECODE]Dump of received Signature, len 64:
0000: 9ED82E89 256033F5 46535452 79A63992 ....%`3.FSTRy.9.
0010: 7A3C8498 45656D3E 03F65C46 A16F8C79 z<..Eem>..\F.o.y
0020: 33131191 F2BCEC00 970CA1C2 4719B546 3...........G..F
0030: F109C689 E48F24DF CCA27B31 E7CA72ED ......$...{1..r.
Jun 29 22:32:59 [IKEv1]IP = 10.1.1.4, Trying to find group via OU...
Jun 29 22:32:59 [IKEv1]IP = 10.1.1.4, No Group found by matching OU(s) from ID payload: Unknown
Jun 29 22:32:59 [IKEv1]IP = 10.1.1.4, Trying to find group via IKE ID...
Jun 29 22:32:59 [IKEv1]IP = 10.1.1.4, Trying to find group via IP ADDR...
Jun 29 22:32:59 [IKEv1]IP = 10.1.1.4, Connection landed on tunnel_group 10.1.1.4
Jun 29 22:32:59 [IKEv1 DEBUG]Group = 10.1.1.4, IP = 10.1.1.4, peer ID type 2 received (FQDN)

Debug (Responder);

Jun 29 22:32:59.704: ISAKMP:(1007): Unable to get DN from certificate!
Jun 29 22:32:59.704: ISAKMP:(1007): Cert presented by peer contains no OU field.
Jun 29 22:32:59.732: ISAKMP:(1007):My ID configured as IPv4 Addr, but Addr not in Cert!
Jun 29 22:32:59.732: ISAKMP:(1007):Using FQDN as My ID
Jun 29 22:32:59.732: ISAKMP:(1007):SA is doing RSA signature authentication using id type ID_FQDN

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s