Hello, im setting up an ASA5540 as a VPN IPSec concentrator.I would like to know what is the difference between using the default certificate matching configuration, which is to keep rules disabled and Certificate Group Matching Policy that indicates to use the value of the OU in the subject distinguished name (DN).
no yunnel-group-map enable rules <-- (default setting)
tunnel-group map enable ou <-- (default setting)
Or enabling rules and specifying a matching rule that matches exactly OU attribute (example grouptest):
no tunnel-group-map enable ou
tunnel-group-map enable rules
crypto ca certificate map 1
subject-name attr ou eq grouptest
With the default configuration, the matching always succeeds. But when I enable rules and trying to match the ou manually, The matching always fail.
I include an subject excerpt from the client certificate:
When you use IPSec with certificates, the peers send the IKE identity with hostname not the IP address in the IKE meesages. Hence you need a tunnel group matching the hostname that is being sent in the IKE messages.
If you want to match any parameters in the certificates, then you use tunnel-group rules and certificate maps. Let's say you need to match the "IP address" in the certificate. You define a certificate map matching the IP address and then create a tunnel-group that is mapped to the certificate map.
Please use the following command to map the certificate map to your customized tunnel-group.