03-27-2013 12:44 PM
Documentation for the 'tunnel-group-map enable ike-id' indicates that the tunnel group will be selected based on the Phase 1 ISAKMP ID. If I am using digital certificates, what field from the certificate is chosen to represent this ID? I have found IOS documentation (http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html) that indicates in older releases that it defaults to the subject name ("...the ISAKMP identity payload contained the subject name from the certificate"). With newer code, it is user definable ("...assign an ISAKMP profile to a peer on the basis of the contents of arbitrary fields in the certificate."). Would this then apply to an ASA as well? I can't seem to find any examples on how to specify which fields are used to map to the ISAKMP ID. I know how to create a certificate map and apply it to a tunnel-group, but I don't know how I would limit that specific tunnel group to only using the rule 'ike-id' as I have all three rules enabled (ou, ike-id, peer-ip). With multiple rules being enabled, what is the order of operation/preference in checking for a match?
Regards,
Scott
03-28-2013 05:22 AM
Scott,
You should use the IKE ID to look for tunnel-group and in case of IOS IKE (v1 or v2) profile.
On IOS we have a bit more flexability what kind of IKE ID should be sent (hostname,address, dn ... and more in case of IKEv2).
On ASA unfortunately the choice is limited to what "crypto isakmp idenity ..." command allows you. I think "auto" is a sane option.
If you do "show run all tunnel-group-map" on ASA you will see the order of matching on ASA, with administrator defined rules being first, OU mapping (for cert auth) second and third IKE ID .... etc etc.
M.
03-28-2013 12:06 PM
Marcin -
Will a debug of an authentication attemp using a digital certificate show me the IKE ID so I know what component of the certificate is being utilized for the IKE ID? In IOS, how do we use certificate maps to define what kind of IKE ID should be sent? Can you provide any examples?
Regards,
Scott
03-29-2013 03:46 AM
Scott,
IKE debugs will show you the identity. in IKEv1 it will happen in MM5 and MM6 or AM1 and AM2. Or in IKE_AUTH messages in IKEv2.
On IOS/IKEv1 under isakmp profile you have "match certificate
So you can match cert in MM5 and send chosen identity in MM6. Also comes with a ceaveat - what happens when you initiate ... ;-)
On ASA,as mentioned, we're stuck with global settings for identity, unless recent changes have been done.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide