This post is on the same lines as the previous one. The difference is in the configuration done on an ASA and an IOS device.
Configuration in IOS;
crypto pki trustpoint CISCO_CA enrollment url http://10.3.3.3:80 usage ike subject-name CN=R1, C=IN ip-address 10.1.1.1 fqdn R1.networkology.net crypto pki authenticate CISCO_CA crypto pki enroll CISCO_CA ! crypto isakmp policy 10 authetication rsa-sig ! ! !(OPTIONAL config below) ! ! crypto isakmp peer address 10.2.2.1 set aggressive-mode client-endpoint fqdn r2.networkology.net ! !OR ! crypto isakmp peer address 10.2.2.1 set aggressive-mode client-endpoint ipv4-address 10.2.2.1
Notes:
- NOT USING the ‘crypto isakmp peer’ command; It’s optional to use the ‘crypto isakmp peer’ statement. If this statement isn’t used, then the router uses IP as the client-endpoint and if IP isn’t found in the certificate, it uses the FQDN instead.
- USING the ‘crypto isakmp peer’ command; you can either specify the client-endpoint as FQDN or IP address for a particular peer. Verify that either of the two is embedded in the certificate. Any way, FQDN is always present in the certificate even if not explicitly added because of the configured ‘hostname’ and ‘ip domain-name’. But IP address has to be manually added while creating a trustpoint and enrolling it to a CA.