Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
5
Helpful
2
Replies

FTD VPN PROBLEM Group = Rejecting IPSec tunnel

jairo.moreno
Level 1
Level 1

‎08-23-2019 01:58 PM - edited ‎02-21-2020 09:44 PM

Hello Cisco Community,

 

We recently check in the VPN the communication is not working well.

We received these errors: 

 

 Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.29.180.0/255.255.254.0/0/0 local proxy 172.19.5.0/255.255.255.0/0/0 on interface Internet


 Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.113.41/255.255.255.255/0/0 local proxy 172.19.6.0/255.255.255.0/0/0 on interface Internet

 

x.x.x.x is a checkpoint peer

 

I have configured in my FTD peer 

 

Remote Encryption Domain

 

172.29.180.0/24

192.168.113.0/24

 

Local Encryption Domain 

 

172.19.5.0/24

172.19.6.0/24

 

Thanks all 

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎08-23-2019 02:18 PM

Hi,

You've got a mismatch in your crypto ACL.

 

no matching crypto map entry for remote proxy 172.29.180.0/255.255.254.0

no matching crypto map entry for remote proxy 192.168.113.41/255.255.255.255

 

Remote Encryption Domain

172.29.180.0/24 < you've defined it as a /24 but it's a /23 (255.255.254.0)

192.168.113.0/24 < you've defined it as a /24 but it's a /32 (255.255.255.255)

 

Confirm exactly what is configured on the Checkpoint device and change the ACL to match exactly.

HTH

 

 

 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Rob Ingram

‎08-25-2019 05:23 AM

Nice catch @Rob Ingram 

0 Helpful
Customers Also Viewed These Support Documents