I try to establish an IPSec tunnel between R1 and R3 using for isakmp authentication with RSA-signatures (default method). The certificates are issued by a forth router acting
as a pki server and are manually inserted in R1 and R3.
IPSec Communication is established correctly between R1 and R3. What I cannot understand is that even when I change the R3 IP address from 10.0.23.3 -> 10.0.23.33 and the hostname from R3 -> R33 (without getting a new certificate) still IPSec is still
-What does ISAKMP authentication when Certificates are used???
-What are the fields that each peer checks?
I would assume that the router extracts from the subject of his peer's certificate the IP address or the fqdn. Then proceeds by checking to see if these values are indeed equal with the identity supplied by the Peer.
(unfortunately it did not work as I expected in my case)
The certificate in R3 remains the same with subject:
IP Address: 10.0.23.3
The only way I managed to make the previous setup work as I was expected (Successfull IPsec connectity initialy - Loss of connectivity when the IP or the hostname of R3 changed - without getting a new certificate)
was by using a certificate map in R1. That map defined the expected subject of the peer's certificate.
Is this the way that certificate based authentication is supposed to work?
When ISAKMP used rsa-signatures for authentication should both peers employ certificate maps
to verify that indeed the identity described in subject of the supplied certificates matches the identities
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...