03-05-2012 12:14 AM - edited 02-21-2020 05:55 PM
Hello!
Anyone please give me the working ASA's config to ASA Site-to-Site IPSEC VPN with Peer with Dynamic IP and authentification by certificates.
It's working with PSK authentification. But connection landed to DefaultRAGroup instead of DefaultL2LGroup with certificate
authentification.
What special config should i apply to DefaultRAGroup to activate the connection?
Thank you!
Solved! Go to Solution.
03-06-2012 10:58 AM
The ASA uses parts of the client cert DN to perform a tunnel-group lookup to place the user in a group. When "peer-id-validate req" is defined the ASA also tries to compare the IKE ID (cert DN) with the actual cert DN (also received in IKE negotiation), if the comparison fails the connection fails. know you could set "peer-id-validate cert" for the time being and the ASA will try to compare the values but allow the connection if it cannot.
Typically I would suggest using "cert" option.
With nocheck we're just not strict about IKE ID matchin the certificate, which is normally not a security concern :-)
03-05-2012 12:24 AM
Andrey,
The first thing that should kick in is tunnel-group mapping by OU value in certificates - create a tunnel-group with name equal to the OU value.
Otherwise you can play with tunnel-group-map and certificate map to make sure particular certificates land on particular tunnel-groups.
TL;DR There is no need to land on default groups - the biggest benefits of certificates is that you can use parts of them to land on correct tunnel-group.
M.
03-05-2012 12:34 AM
Do i need additional commands for tunnel-group mapping by OU to support IPSEC site-to-site connection?
03-05-2012 01:48 AM
Andrey,
OU mapping should be on by default. You can verify by doing.
bsns-asa5540-3# sh run all tunnel-group-map
no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup
You can see that by default if we don't much OU, IKE-ID or peer-ip we will land on defaultRAGroup :-)
M.
03-06-2012 04:45 AM
Marcin,
I have the 'crypto isakmp identity address' command enabled on my Cisco ASA. But DC authentication is working. Phase 1 with my peer is in active state. Should i change 'crypto isakmp identity address' to 'crypto isakmp identity auto' to support both PSK and DC authentication? Will i get any service loss after 'crypto isakmp identity auto' applying?
Thank you!
03-06-2012 04:55 AM
Andrey,
The Isakmp identity is only used when performing phase 1. i.e. you can change the setting, next time you will establish phase 1 (depending on timers) you will use the new identity.
Auto is typically a better choice ;-)
M.
03-06-2012 05:11 AM
Marcin, thank you.
I have a few more questions.:)
What is the purpose of the 'peer-id-validate' command in tunnel-group configuration block? Am i think right if the 'peer-id-validate cert' option is applied during the isakmp phase peers validate certificate DN information and if
the 'peer-id-validate nocheck' option is applied during the isakmp phase peers don't validate anything? What are the disadvantages of 'peer-id-validate nocheck' using?
03-06-2012 10:58 AM
The ASA uses parts of the client cert DN to perform a tunnel-group lookup to place the user in a group. When "peer-id-validate req" is defined the ASA also tries to compare the IKE ID (cert DN) with the actual cert DN (also received in IKE negotiation), if the comparison fails the connection fails. know you could set "peer-id-validate cert" for the time being and the ASA will try to compare the values but allow the connection if it cannot.
Typically I would suggest using "cert" option.
With nocheck we're just not strict about IKE ID matchin the certificate, which is normally not a security concern :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide