cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
201
Views
5
Helpful
2
Replies
Beginner

FTD VPN PROBLEM Group = Rejecting IPSec tunnel

Hello Cisco Community,

 

We recently check in the VPN the communication is not working well.

We received these errors: 

 

 Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.29.180.0/255.255.254.0/0/0 local proxy 172.19.5.0/255.255.255.0/0/0 on interface Internet


 Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.113.41/255.255.255.255/0/0 local proxy 172.19.6.0/255.255.255.0/0/0 on interface Internet

 

x.x.x.x is a checkpoint peer

 

I have configured in my FTD peer 

 

Remote Encryption Domain

 

172.29.180.0/24

192.168.113.0/24

 

Local Encryption Domain 

 

172.19.5.0/24

172.19.6.0/24

 

Thanks all 

 

Everyone's tags (1)
2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: FTD VPN PROBLEM Group = Rejecting IPSec tunnel

Hi,

You've got a mismatch in your crypto ACL.

 

no matching crypto map entry for remote proxy 172.29.180.0/255.255.254.0

no matching crypto map entry for remote proxy 192.168.113.41/255.255.255.255

 

Remote Encryption Domain

172.29.180.0/24 < you've defined it as a /24 but it's a /23 (255.255.254.0)

192.168.113.0/24 < you've defined it as a /24 but it's a /32 (255.255.255.255)

 

Confirm exactly what is configured on the Checkpoint device and change the ACL to match exactly.

HTH

 

 

 

Highlighted
Hall of Fame Master

Re: FTD VPN PROBLEM Group = Rejecting IPSec tunnel

Nice catch @RJI