I have a support case open on this but its not getting anywhere.
Here is the issue, i can establish a connection from the pix to the CPNG and everything is happy, but when the CPNG side initates the tunnel we get a phase 2 failure where the pix rejects the SA.
Here are the log entries and config info (IP's and access-list names have been changed for security reasons)
Jul 25 2008 15:20:09 713061 Group = 126.96.36.199, IP = 188.8.131.52, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 184.108.40.206/255.255.254.0/0/0 local proxy 220.127.116.11/255.255.255.0/0/0 on interface outside
So what I am confused as is why are we getting a mismatch?
Jul 25 16:55:49 [IKEv1]: Group = 18.104.22.168, IP = 22.214.171.124, Static Crypto Map check, checking map = aptmap, seq = 80...
Jul 25 16:55:49 [IKEv1]: Group = 126.96.36.199, IP = 188.8.131.52, Static Crypto Map check, map = aptmap, seq = 80, ACL does not match proxy IDs src:184.108.40.206 dst:220.127.116.11
crypto map aptmap 80 match address vpn
access-list vpn line 1 extended permit icmp 18.104.22.168 255.255.255.0 22.214.171.124 255.255.254.0 (hitcnt=0) 0x9b93740a
We have had multiple people take a look at this on both sides, and the acl matches the checkpoint config. Anyone have any ideas or anything that can be run to get more info? Thanks in advance.