Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
3
Helpful
3
Replies

Tunnel Group Map Using Digital Certificates and IKE-ID

Scott Pickles
Level 4
Level 4

‎03-27-2013 12:44 PM

Documentation for the 'tunnel-group-map enable ike-id' indicates that the tunnel group will be selected based on the Phase 1 ISAKMP ID.  If I am using digital certificates, what field from the certificate is chosen to represent this ID?  I have found IOS documentation (http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html) that indicates in older releases that it defaults to the subject name ("...the ISAKMP identity payload contained the subject name from the certificate").  With newer code, it is user definable ("...assign an ISAKMP profile to a peer on the basis of the contents of arbitrary fields in the certificate.").  Would this then apply to an ASA as well?  I can't seem to find any examples on how to specify which fields are used to map to the ISAKMP ID.  I know how to create a certificate map and apply it to a tunnel-group, but I don't know how I would limit that specific tunnel group to only using the rule 'ike-id' as I have all three rules enabled (ou, ike-id, peer-ip).  With multiple rules being enabled, what is the order of operation/preference in checking for a match?

Regards,
Scott

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-28-2013 05:22 AM

Scott,

You should use the IKE ID to look for tunnel-group and in case of IOS IKE (v1 or v2) profile. 

On IOS we have a bit more flexability what kind of IKE ID should be sent (hostname,address, dn ... and more in case of IKEv2).

On ASA unfortunately the choice is limited to what "crypto isakmp idenity ..." command allows you. I think "auto" is a sane option.

If you do "show run all tunnel-group-map" on ASA you will see the order of matching on ASA, with administrator defined rules being first, OU mapping (for cert auth) second and third IKE ID .... etc etc.

M.

Scott Pickles
Level 4
Level 4
In response to Marcin Latosiewicz

‎03-28-2013 12:06 PM

Marcin -

Will a debug of an authentication attemp using a digital certificate show me the IKE ID so I know what component of the certificate is being utilized for the IKE ID?  In IOS, how do we use certificate maps to define what kind of IKE ID should be sent?  Can you provide any examples?

Regards,
Scott

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Scott Pickles

‎03-29-2013 03:46 AM

Scott,

IKE debugs will show you the identity. in IKEv1 it will happen in MM5 and MM6 or AM1 and AM2. Or in IKE_AUTH messages in IKEv2.

On IOS/IKEv1 under isakmp profile you have "match certificate " and "self-identity" however it allows you to pick one of few options.

So you can match cert in MM5 and send chosen identity in MM6. Also comes with a ceaveat - what happens when you initiate ... ;-)

On ASA,as mentioned, we're stuck with global settings for identity, unless recent changes have been done.

M.

0 Helpful
Customers Also Viewed These Support Documents