Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Hello!

Anyone please give me the working ASA's config to ASA Site-to-Site IPSEC VPN with Peer with Dynamic IP and authentification by certificates.

It's working with PSK authentification. But connection landed to DefaultRAGroup instead of DefaultL2LGroup with certificate

authentification.

What special config should i apply to DefaultRAGroup to activate the connection?

Thank you!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA IPSEC VPN with Peer with Dynamic IP and certificates

The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot. 

Typically I would suggest using "cert" option.

With nocheck we're just not strict about IKE ID matchin the certificate, which is normally not a security concern :-)

7 REPLIES
Cisco Employee

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Andrey,

The first thing that should kick in is tunnel-group mapping by OU value in certificates - create a tunnel-group with name equal to the OU value.

Otherwise you can play with tunnel-group-map and certificate map to make sure particular certificates land on particular tunnel-groups.

TL;DR There is no need to land on default groups - the biggest benefits of certificates is that you can use parts of them to land on correct tunnel-group.

M.

New Member

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Marcin, thank you.

Do i need additional commands for tunnel-group mapping by OU to support IPSEC site-to-site connection?

Cisco Employee

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Andrey,

OU mapping should be on by default. You can verify by doing.

bsns-asa5540-3# sh run all tunnel-group-map

no tunnel-group-map enable rules

tunnel-group-map enable ou

tunnel-group-map enable ike-id

tunnel-group-map enable peer-ip

tunnel-group-map default-group DefaultRAGroup

You can see that by default if we don't much OU, IKE-ID or peer-ip  we will land on defaultRAGroup :-)

M.

New Member

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Marcin,

I have the 'crypto isakmp identity address'  command enabled on my Cisco ASA. But DC authentication is working. Phase 1 with my peer is in active state. Should i change 'crypto isakmp identity address' to 'crypto isakmp identity auto'  to support both PSK and DC authentication? Will i get any service loss after 'crypto isakmp identity auto' applying?

Thank you!

Cisco Employee

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Andrey,

The Isakmp identity is only used when performing phase 1. i.e. you can change the setting, next time you will establish phase 1 (depending on timers) you will use the new identity.

Auto is typically a better choice ;-)

M.

New Member

ASA IPSEC VPN with Peer with Dynamic IP and certificates

Marcin, thank you.

I have a few more questions.:)

What is the purpose of the 'peer-id-validate' command in tunnel-group configuration block? Am i think right if the 'peer-id-validate cert' option is applied during the isakmp phase peers validate certificate DN information and if

the 'peer-id-validate nocheck' option is applied during the isakmp phase peers don't validate anything? What are the disadvantages of 'peer-id-validate nocheck' using?

Cisco Employee

ASA IPSEC VPN with Peer with Dynamic IP and certificates

The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot. 

Typically I would suggest using "cert" option.

With nocheck we're just not strict about IKE ID matchin the certificate, which is normally not a security concern :-)

4667
Views
0
Helpful
7
Replies