Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8736
Views
0
Helpful
7
Replies

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Go to solution
OUMIA_JET
Level 1
Level 1

‎03-05-2012 12:14 AM - edited ‎02-21-2020 05:55 PM

Hello!

Anyone please give me the working ASA's config to ASA Site-to-Site IPSEC VPN with Peer with Dynamic IP and authentification by certificates.

It's working with PSK authentification. But connection landed to DefaultRAGroup instead of DefaultL2LGroup with certificate

authentification.

What special config should i apply to DefaultRAGroup to activate the connection?

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to OUMIA_JET

‎03-06-2012 10:58 AM 

The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot.

Typically I would suggest using "cert" option.

With nocheck we're just not strict about IKE ID matchin the certificate, which is normally not a security concern :-)

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-05-2012 12:24 AM

Andrey,

The first thing that should kick in is tunnel-group mapping by OU value in certificates - create a tunnel-group with name equal to the OU value.

Otherwise you can play with tunnel-group-map and certificate map to make sure particular certificates land on particular tunnel-groups.

TL;DR There is no need to land on default groups - the biggest benefits of certificates is that you can use parts of them to land on correct tunnel-group.

M.

0 Helpful

Go to solution
OUMIA_JET
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-05-2012 12:34 AM

Marcin, thank you.

Do i need additional commands for tunnel-group mapping by OU to support IPSEC site-to-site connection?

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to OUMIA_JET

‎03-05-2012 01:48 AM

Andrey,

OU mapping should be on by default. You can verify by doing. 

bsns-asa5540-3# sh run all tunnel-group-map
no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup

You can see that by default if we don't much OU, IKE-ID or peer-ip  we will land on defaultRAGroup :-)

M.

0 Helpful

Go to solution
OUMIA_JET
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-06-2012 04:45 AM

Marcin,

I have the 'crypto isakmp identity address'  command enabled on my Cisco ASA. But DC authentication is working. Phase 1 with my peer is in active state. Should i change 'crypto isakmp identity address' to 'crypto isakmp identity auto'  to support both PSK and DC authentication? Will i get any service loss after 'crypto isakmp identity auto' applying?

Thank you!

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to OUMIA_JET

‎03-06-2012 04:55 AM

Andrey,

The Isakmp identity is only used when performing phase 1. i.e. you can change the setting, next time you will establish phase 1 (depending on timers) you will use the new identity.

Auto is typically a better choice ;-)

M.

0 Helpful

Go to solution
OUMIA_JET
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-06-2012 05:11 AM

Marcin, thank you.

I have a few more questions.:)

What is the purpose of the 'peer-id-validate' command in tunnel-group configuration block? Am i think right if the 'peer-id-validate cert' option is applied during the isakmp phase peers validate certificate DN information and if

the 'peer-id-validate nocheck' option is applied during the isakmp phase peers don't validate anything? What are the disadvantages of 'peer-id-validate nocheck' using?

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to OUMIA_JET

‎03-06-2012 10:58 AM 

The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot.

Typically I would suggest using "cert" option.

With nocheck we're just not strict about IKE ID matchin the certificate, which is normally not a security concern :-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents