Cisco and Checkpoint - no proposal chosen

Answered Question
Mar 26th, 2008

Hi,

we had a working IPSEC VPN between IOS Router and Checkpoint FW. Now, after adding host entries to the ACL we got "no proposal chosen".

My question:

=> Can we use more than one entry in a ACL attached to crypto map? <=

Like this for example:

access-list 125 permit ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.14.6.243

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.50.50.4

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

...

Greetings Richi

I have this problem too.
0 votes
Correct Answer by pjhenriqs about 8 years 8 months ago

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
pjhenriqs Wed, 03/26/2008 - 06:15

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

richi3161 Wed, 03/26/2008 - 07:02

We found a solution / workaround:

The order of the Cisco ACL was clear, but not from Checkpoint side. So we built up the new encryption domains step by step.

=> after every entry (same network / host object, of course symmetric) we checked the IPSec tunnel

Now are all entries done and tunnel is still active.

Actions

This Discussion