I have a support case open on this but its not getting anywhere.
Here is the issue, i can establish a connection from the pix to the CPNG and everything is happy, but when the CPNG side initates the tunnel we get a phase 2 failure where the pix rejects the SA.
Here are the log entries and config info (IP's and access-list names have been changed for security reasons)
Jul 25 2008 15:20:09 713061 Group = 22.214.171.124, IP = 126.96.36.199, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 188.8.131.52/255.255.254.0/0/0 local proxy 184.108.40.206/255.255.255.0/0/0 on interface outside
So what I am confused as is why are we getting a mismatch?
Jul 25 16:55:49 [IKEv1]: Group = 220.127.116.11, IP = 18.104.22.168, Static Crypto Map check, checking map = aptmap, seq = 80...
Jul 25 16:55:49 [IKEv1]: Group = 22.214.171.124, IP = 126.96.36.199, Static Crypto Map check, map = aptmap, seq = 80, ACL does not match proxy IDs src:188.8.131.52 dst:184.108.40.206
crypto map aptmap 80 match address vpn
access-list vpn line 1 extended permit icmp 220.127.116.11 255.255.255.0 18.104.22.168 255.255.254.0 (hitcnt=0) 0x9b93740a
We have had multiple people take a look at this on both sides, and the acl matches the checkpoint config. Anyone have any ideas or anything that can be run to get more info? Thanks in advance.