Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Tunnel from Cisco ASA to Checkpoint UTM-1 Edge

Hi All,

I am currently trying to setup an IPSec Site to Site VPN tunnel from a Cisco 5520 to a Checkpoint UTM-1 Edge firewall. Phase 1 completes, but i get a mismatch cryptomap error on phase 2. This is syslog message 713061, i unfortunately don't control the Checkpoint Firewall but i am assured their crypto map is correct, and i know my cryptomap is correct. Has anyone had any experiences connecting to a checkpoint utm-1 edge firewall?

Thanks for any help



Re: VPN Tunnel from Cisco ASA to Checkpoint UTM-1 Edge

There are several issues that I can think of:

1- Phase 1 is complete means that your phase 1

is OK on both sides,

2- phase 2 fails because either crypto map on

your end is not correct or the encryption domain

on the checkpoint side is supernetting its

network and that your side does not like it.

What is the interesting traffics on your side

and what is the local encryption domain on

the checkpoint side? For example:

access-list 101 permit ip

access-list 101 permit ip

as you can see on the checkpoint side, there

are two networks, and

Checkpoint, by default, will supernet these

two networks into and send it to

to you during phase 2 negotiation thus failing

the VPN. There are workaround for this,

especially in NGx. This issue is well known

between Checkpoint and Cisco VPN.

The best way to confirm is to run "vpn debug

ikeon" on the checkpoint box and look at the

$FWDIR/log/ike.elg file with IKEView.exe

utility. It will tell you exactly where your

VPN fails. Checkpoint VPN debug utility

is about 100 times better than Cisco.

CCIE Security

New Member

Re: VPN Tunnel from Cisco ASA to Checkpoint UTM-1 Edge

Hi thanks for the response

i have one line crypto map which is:

access-list cryptomap extended permit ip host

so i'm allowing traffic from our server here to their network

i did a 'dbug crypto isakmp 127' and eventually get the below:

May 06 14:23:01 [IKEv1]: Group = [Their Peer IP Address], IP = [Their Peer IP Address], Rejecting IPSec tunnel: no matching crypto map entry for remote proxy [Their Peer IP]/ local proxy [My Peer Address]/ on interface Outside

It confuses me why their peer IP is coming through and mine for the crypto map entry, shouldn't this be the internal IP's or am i reading this wrong? could this go back to the checkpoing issue you explained?

in the meantime i will have my contact perform the checkpoing debugs you've explained




Re: VPN Tunnel from Cisco ASA to Checkpoint UTM-1 Edge

On the UTM-Edge, in the VPN community

configuration setting, select vpn to exchange

key "per host" from the default of "per

subnet pair".

VPN will work after that.

CCIE Security

New Member

Many thanks cisco24x7, your

Many thanks cisco24x7, your answer solved the problem.






New Member

Re: VPN Tunnel from Cisco ASA to Checkpoint UTM-1 Edge


I am having a similar problem with a Checkpoint: UTM-1 Edge X (8.0.36x) and an ASA5510 (8.0.4)...

Tunnel starts ok from the ASA but if the Checkpoint tries to start the tunnel, the ASA denies the connection since the encryption domain it is receiving includes the outside addresses of both firewalls instead of the internal hosts (debug crypto ipsec 250).

I've asked to test bringin up the tunnel from the host itself and not from the firewall and I still see the same behaviour.

I found this thread and suggested the changes to them, but they tell me that the Firewall version they have is very limited and those options are not available,.

Is there anything else you may suggest to try ??

Thanks and regards,