PIX535 to Checkpoint NG, no match found, BUT THERE IS A MATCH

Unanswered Question
Jul 28th, 2008

I have a support case open on this but its not getting anywhere.

Here is the issue, i can establish a connection from the pix to the CPNG and everything is happy, but when the CPNG side initates the tunnel we get a phase 2 failure where the pix rejects the SA.

Here are the log entries and config info (IP's and access-list names have been changed for security reasons)

Jul 25 2008 15:20:09 713061 Group = 123.1.2.3, IP = 123.1.2.3, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 100.10.10.0/255.255.254.0/0/0 local proxy 200.2.2.0/255.255.255.0/0/0 on interface outside

So what I am confused as is why are we getting a mismatch?

Jul 25 16:55:49 [IKEv1]: Group = 123.1.2.3, IP = 123.1.2.3, Static Crypto Map check, checking map = aptmap, seq = 80...

Jul 25 16:55:49 [IKEv1]: Group = 123.1.2.3, IP = 123.1.2.3, Static Crypto Map check, map = aptmap, seq = 80, ACL does not match proxy IDs src:100.10.10.0 dst:200.2.2.0

crypto map aptmap 80 match address vpn

access-list vpn line 1 extended permit icmp 200.2.2.0 255.255.255.0 100.10.10.0 255.255.254.0 (hitcnt=0) 0x9b93740a

We have had multiple people take a look at this on both sides, and the acl matches the checkpoint config. Anyone have any ideas or anything that can be run to get more info? Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Mon, 07/28/2008 - 07:54

Hi,

I think this happens because on the NG there i a checkmark that summaries all the local networks for the VPN connection, instead of keeping only the specific ones configured for that VPN.

Check here a ste-by-step guide for setting up VPN from PIX to NG:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

Also check the Phase2 timeouts to be the same on both devices.

crypto map aptmap 80 set security-association lifetime seconds 28800

Please rate if this helped.

Regards,

Daniel

jgiles@e-dialog.com Mon, 07/28/2008 - 08:51

Well we rewrote the ACL to adjust for checkpoint subnet summarization. So that wasn't the issue.

We actually finally did get this working by changing the ACL to all ip as opposed to just certain protocols (ICMP in my example)

Luckily my environment puts the PIX on a leg off of the FWSM so I could control allowed traffic with the FWSM.

However it does bother me that I cannot use the ACL to be protocol specific.

Anyone run into something like this?

Actions

This Discussion