cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6144
Views
0
Helpful
2
Replies

Cisco and Checkpoint - no proposal chosen

richi3161
Level 1
Level 1

Hi,

we had a working IPSEC VPN between IOS Router and Checkpoint FW. Now, after adding host entries to the ACL we got "no proposal chosen".

My question:

=> Can we use more than one entry in a ACL attached to crypto map? <=

Like this for example:

access-list 125 permit ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.14.6.243

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.50.50.4

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

...

Greetings Richi

1 Accepted Solution

Accepted Solutions

pjhenriqs
Level 1
Level 1

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

View solution in original post

2 Replies 2

pjhenriqs
Level 1
Level 1

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

We found a solution / workaround:

The order of the Cisco ACL was clear, but not from Checkpoint side. So we built up the new encryption domains step by step.

=> after every entry (same network / host object, of course symmetric) we checked the IPSec tunnel

Now are all entries done and tunnel is still active.