Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10006
Views
0
Helpful
2
Replies

IKE Peer Identity Validation setting

abdulwz
Level 1
Level 1

‎04-19-2006 07:30 PM

When and under what circumstances to I enable the above setting when configuring a Cisco VPN Concentrator 3015 ?

Labels:
0 Helpful
2 Replies 2

Fernando_Meza
Level 7
Level 7

‎04-19-2006 08:48 PM

IKE Peer Identity Validation—This option applies only to VPN tunnel negotiation

based on certificates. This field enables you to hold clients to tighter security

requirements.

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to Fernando_Meza

‎04-19-2006 08:52 PM

this might clarify a bit more:

During IKE tunnel establishment, the peer provides its identity: either an IP address, a fully qualified

domain name (FQDN), or a distinguished name (DN). It also presents a certificate, which contains none,

some, or all of these fields. If IKE peer identity validation is enabled, the VPN Concentrator compares

the peer’s identity to the like field in the certificate to see if the information matches. If the information

matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the

information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional

level of security.

IKE Peer Identity Validation can be useful for binding a peer to a particular IP address or domain name.

For example, if the IP address that the peer provided as an identification during tunnel establishment

does not match the IP address in its certificate, the VPN Concentrator fails to validate the peer and drops

the tunnel.

Ideally all the VPN Concentrator peers are configured to provide matching types of identity and

certificate fields. In this case, enabling Peer Identity Validation ensures that the VPN Concentrator

checks the validity of every peer, and only validated peers connect. But in actuality, some peers might

not be configured to provide this data. The peer provides a certificate, but that certificate might not

contain any of the matching fields required for an identity check. (For example, the peer might provide

an IP address for its identity and its certificate might contain only a distinguished name.) If a peer does

not provide sufficient information for the VPN Concentrator to check its identity, there are two

possibilities: the VPN Concentrator either establishes the session or drops it. If you want the VPN

Concentrator to drop sessions of peers that do no provide sufficient information to perform an identity

check, choose Required. If you want the VPN Concentrator to establish sessions for peers that do not

provide sufficient identity information to perform a check, select If supported by Certificate.

0 Helpful
Customers Also Viewed These Support Documents