Cisco and Checkpoint - no proposal chosen

Answered Question
Mar 26th, 2008
User Badges:

Hi,

we had a working IPSEC VPN between IOS Router and Checkpoint FW. Now, after adding host entries to the ACL we got "no proposal chosen".

My question:

=> Can we use more than one entry in a ACL attached to crypto map? <=


Like this for example:

access-list 125 permit ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.14.6.243

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.50.50.4

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5


...


Greetings Richi

Correct Answer by pjhenriqs about 9 years 4 months ago

Hi Richi,


Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.


So for example


access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5


should be on the other side:


access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31


Have you checked that you have the symmetric access lists?


Hope it helps,

Paulo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
pjhenriqs Wed, 03/26/2008 - 06:15
User Badges:

Hi Richi,


Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.


So for example


access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5


should be on the other side:


access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31


Have you checked that you have the symmetric access lists?


Hope it helps,

Paulo

richi3161 Wed, 03/26/2008 - 07:02
User Badges:

We found a solution / workaround:

The order of the Cisco ACL was clear, but not from Checkpoint side. So we built up the new encryption domains step by step.

=> after every entry (same network / host object, of course symmetric) we checked the IPSec tunnel

Now are all entries done and tunnel is still active.

Actions

This Discussion