08-23-2019 01:58 PM - edited 02-21-2020 09:44 PM
Hello Cisco Community,
We recently check in the VPN the communication is not working well.
We received these errors:
Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.29.180.0/255.255.254.0/0/0 local proxy 172.19.5.0/255.255.255.0/0/0 on interface Internet
Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.113.41/255.255.255.255/0/0 local proxy 172.19.6.0/255.255.255.0/0/0 on interface Internet
x.x.x.x is a checkpoint peer
I have configured in my FTD peer
Remote Encryption Domain
172.29.180.0/24
192.168.113.0/24
Local Encryption Domain
172.19.5.0/24
172.19.6.0/24
Thanks all
08-23-2019 02:18 PM
Hi,
You've got a mismatch in your crypto ACL.
no matching crypto map entry for remote proxy 172.29.180.0/255.255.254.0
no matching crypto map entry for remote proxy 192.168.113.41/255.255.255.255
Remote Encryption Domain
172.29.180.0/24 < you've defined it as a /24 but it's a /23 (255.255.254.0)
192.168.113.0/24 < you've defined it as a /24 but it's a /32 (255.255.255.255)
Confirm exactly what is configured on the Checkpoint device and change the ACL to match exactly.
HTH
08-25-2019 05:23 AM
Nice catch @Rob Ingram
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide