Cisco Support Community
Community Member

IKE Peer Identity Validation setting

When and under what circumstances to I enable the above setting when configuring a Cisco VPN Concentrator 3015 ?


Re: IKE Peer Identity Validation setting

IKE Peer Identity Validation—This option applies only to VPN tunnel negotiation

based on certificates. This field enables you to hold clients to tighter security


Re: IKE Peer Identity Validation setting

this might clarify a bit more:

During IKE tunnel establishment, the peer provides its identity: either an IP address, a fully qualified

domain name (FQDN), or a distinguished name (DN). It also presents a certificate, which contains none,

some, or all of these fields. If IKE peer identity validation is enabled, the VPN Concentrator compares

the peer’s identity to the like field in the certificate to see if the information matches. If the information

matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the

information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional

level of security.

IKE Peer Identity Validation can be useful for binding a peer to a particular IP address or domain name.

For example, if the IP address that the peer provided as an identification during tunnel establishment

does not match the IP address in its certificate, the VPN Concentrator fails to validate the peer and drops

the tunnel.

Ideally all the VPN Concentrator peers are configured to provide matching types of identity and

certificate fields. In this case, enabling Peer Identity Validation ensures that the VPN Concentrator

checks the validity of every peer, and only validated peers connect. But in actuality, some peers might

not be configured to provide this data. The peer provides a certificate, but that certificate might not

contain any of the matching fields required for an identity check. (For example, the peer might provide

an IP address for its identity and its certificate might contain only a distinguished name.) If a peer does

not provide sufficient information for the VPN Concentrator to check its identity, there are two

possibilities: the VPN Concentrator either establishes the session or drops it. If you want the VPN

Concentrator to drop sessions of peers that do no provide sufficient information to perform an identity

check, choose Required. If you want the VPN Concentrator to establish sessions for peers that do not

provide sufficient identity information to perform a check, select If supported by Certificate.

CreatePlease to create content