We had site to site VPN setup from Checkpoint to ASA 5505, Phase 1 is completing but not Phase 2 , below is the logs from ASA
IPs are modified
01 20:12:21 [IKEv1]: Group = 188.8.131.52, IP = 184.108.40.206, Rejecting IPSec tu
nnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 220.127.116.11/255.255.255.0/0/0 on interface outside
check, map = outside_map, seq = 2, ACL does not match proxy IDs src:0.0.0.0 dst:18.104.22.168
01 20:12:21 [IKEv1]: Group = 22.214.171.124, IP = 126.96.36.199, Rejecting IPSec tunel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local pr
oxy 188.8.131.52/255.255.255.0/0/0 on interface outside
checkpoint peer 184.108.40.206 and remote-network nat-ip 220.127.116.11
Cisco asa local network 18.104.22.168/24
accessing from checkpoint side all ip hide behind 22.214.171.124
access-list inside_nat0_outbound extended permit ip 126.96.36.199 255.255.255.0 host 188.8.131.52 access-list out extended permit ip any any access-list vpn extended permit ip 184.108.40.206 255.255.255.0 host 220.127.116.11 access-list vpn extended permit ip host 18.104.22.168 22.214.171.124 255.255.255.0 access-list inbound extended permit ip host 126.96.36.199 188.8.131.52 255.255.255.0 access-list ins extended permit ip any any global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group ins in interface inside access-group out in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.x route inside 184.108.40.206 255.255.255.0 x.x.x.x
The issue likely is on the Checkpoint end. Because checkpoint is NAT'ing everything behind 220.127.116.11 when going across the VPN tunnel, checkpoint needs to include both 18.104.22.168 and whatever is being NAT'ed to 22.214.171.124 as part of the encryption domain.
Yes Issue Was at Checkpoint End ,after gone through ASA Debug below logs indicates that Checkpoint is sending Proxy id as 0.0.0.0/0.0.0.0/0/0 So changed the tunnel mangemnt per subnet to per host ,there we go it works.
no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 126.96.36.199/255.255.255.0/0/0 on interface outside
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...