Hello all I'm trying to establish a VPN with a Checkpoint NGX from my PIX and the IKE phase one works but apparently when trying phase 2 the connection cannot be established. Here is a debug message:
crypto_isakmp_process_block:src:w.x.y.z, dest:z.y.x.w spt:500 dpt:500
ISAKMP (0): processing SA payload. message ID = 3036632205
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
I saw on the forums that this might be a bug on the NGX. And I saw on a Cisco troubleshooting document that it could be: "The access lists on each peer needs to mirror each other (all entries need to be reversible)."
So which one you think is it?