07-28-2008 05:38 AM - edited 03-09-2019 09:10 PM
I have a support case open on this but its not getting anywhere.
Here is the issue, i can establish a connection from the pix to the CPNG and everything is happy, but when the CPNG side initates the tunnel we get a phase 2 failure where the pix rejects the SA.
Here are the log entries and config info (IP's and access-list names have been changed for security reasons)
Jul 25 2008 15:20:09 713061 Group = 123.1.2.3, IP = 123.1.2.3, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 100.10.10.0/255.255.254.0/0/0 local proxy 200.2.2.0/255.255.255.0/0/0 on interface outside
So what I am confused as is why are we getting a mismatch?
Jul 25 16:55:49 [IKEv1]: Group = 123.1.2.3, IP = 123.1.2.3, Static Crypto Map check, checking map = aptmap, seq = 80...
Jul 25 16:55:49 [IKEv1]: Group = 123.1.2.3, IP = 123.1.2.3, Static Crypto Map check, map = aptmap, seq = 80, ACL does not match proxy IDs src:100.10.10.0 dst:200.2.2.0
crypto map aptmap 80 match address vpn
access-list vpn line 1 extended permit icmp 200.2.2.0 255.255.255.0 100.10.10.0 255.255.254.0 (hitcnt=0) 0x9b93740a
We have had multiple people take a look at this on both sides, and the acl matches the checkpoint config. Anyone have any ideas or anything that can be run to get more info? Thanks in advance.
07-28-2008 07:54 AM
Hi,
I think this happens because on the NG there i a checkmark that summaries all the local networks for the VPN connection, instead of keeping only the specific ones configured for that VPN.
Check here a ste-by-step guide for setting up VPN from PIX to NG:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml
Also check the Phase2 timeouts to be the same on both devices.
crypto map aptmap 80 set security-association lifetime seconds 28800
Please rate if this helped.
Regards,
Daniel
07-28-2008 08:51 AM
Well we rewrote the ACL to adjust for checkpoint subnet summarization. So that wasn't the issue.
We actually finally did get this working by changing the ACL to all ip as opposed to just certain protocols (ICMP in my example)
Luckily my environment puts the PIX on a leg off of the FWSM so I could control allowed traffic with the FWSM.
However it does bother me that I cannot use the ACL to be protocol specific.
Anyone run into something like this?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: