Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
2
Replies

PIX535 to Checkpoint NG, no match found, BUT THERE IS A MATCH

jgiles
Level 1
Level 1

‎07-28-2008 05:38 AM - edited ‎03-09-2019 09:10 PM

I have a support case open on this but its not getting anywhere.

Here is the issue, i can establish a connection from the pix to the CPNG and everything is happy, but when the CPNG side initates the tunnel we get a phase 2 failure where the pix rejects the SA.

Here are the log entries and config info (IP's and access-list names have been changed for security reasons)

Jul 25 2008 15:20:09 713061 Group = 123.1.2.3, IP = 123.1.2.3, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 100.10.10.0/255.255.254.0/0/0 local proxy 200.2.2.0/255.255.255.0/0/0 on interface outside

So what I am confused as is why are we getting a mismatch?

Jul 25 16:55:49 [IKEv1]: Group = 123.1.2.3, IP = 123.1.2.3, Static Crypto Map check, checking map = aptmap, seq = 80...

Jul 25 16:55:49 [IKEv1]: Group = 123.1.2.3, IP = 123.1.2.3, Static Crypto Map check, map = aptmap, seq = 80, ACL does not match proxy IDs src:100.10.10.0 dst:200.2.2.0

crypto map aptmap 80 match address vpn

access-list vpn line 1 extended permit icmp 200.2.2.0 255.255.255.0 100.10.10.0 255.255.254.0 (hitcnt=0) 0x9b93740a

We have had multiple people take a look at this on both sides, and the acl matches the checkpoint config. Anyone have any ideas or anything that can be run to get more info? Thanks in advance.

Labels:
0 Helpful
2 Replies 2

5220
Level 4
Level 4

‎07-28-2008 07:54 AM

Hi,

I think this happens because on the NG there i a checkmark that summaries all the local networks for the VPN connection, instead of keeping only the specific ones configured for that VPN.

Check here a ste-by-step guide for setting up VPN from PIX to NG:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

Also check the Phase2 timeouts to be the same on both devices.

crypto map aptmap 80 set security-association lifetime seconds 28800

Please rate if this helped.

Regards,

Daniel

0 Helpful

jgiles
Level 1
Level 1
In response to 5220

‎07-28-2008 08:51 AM

Well we rewrote the ACL to adjust for checkpoint subnet summarization. So that wasn't the issue.

We actually finally did get this working by changing the ACL to all ip as opposed to just certain protocols (ICMP in my example)

Luckily my environment puts the PIX on a leg off of the FWSM so I could control allowed traffic with the FWSM.

However it does bother me that I cannot use the ACL to be protocol specific.

Anyone run into something like this?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents