02-01-2012 06:30 AM
Hi all ,
We had site to site VPN setup from Checkpoint to ASA 5505, Phase 1 is completing but not Phase 2 , below is the logs from ASA
IPs are modified
01 20:12:21 [IKEv1]: Group = 2.2.2.10, IP = 2.2.2.10, Rejecting IPSec tu
nnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 1.1.1.0/255.255.255.0/0/0 on interface outside
check, map = outside_map, seq = 2, ACL does not match proxy IDs src:0.0.0.0 dst:1.1.1.0
01 20:12:21 [IKEv1]: Group = 2.2.2.10, IP = 2.2.2.10, Rejecting IPSec tunel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local pr
oxy 1.1.1.0/255.255.255.0/0/0 on interface outside
checkpoint peer 2.2.2.10 and remote-network nat-ip 2.2.2.2
Cisco asa local network 1.1.1.0/24
accessing from checkpoint side all ip hide behind 2.2.2.2
configyaration below
access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2
access-list out extended permit ip any any
access-list vpn extended permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2
access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
access-list inbound extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
access-list ins extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ins in interface inside
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside 1.1.1.0 255.255.255.0 x.x.x.x
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address vpn
crypto map outside_map 2 set peer 2.2.2.10
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 2.2.2.10 type ipsec-l2l
tunnel-group 2.2.2.10 ipsec-attributes
pre-shared-key *
02-01-2012 10:17 AM
First this is not required .
access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
2nd you see check checkpoint end as well.
Thanks
Ajay
02-02-2012 02:56 AM
removed
access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
[IKEv1]: IP = 2.2.2.10, Received encrypted packet with no matching SA, dropping
Cross checked configuration Phase 2 parameters looks fine at both end
3des,md5,3600seconds.. nat -t supports
syopt connection permit-vpn
any thing else need to check,
accessing from checkpoint side to asa side (1.1.1.0) don't we need below access-list at asa side,, all ip hide behind 2.2.2.2 at checkpoint
access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
02-02-2012 04:33 AM
From ASA encryption domain would -
Local 1.1.1.0/24
Remote 2.2.2.2/32
So This is the only ACL required.
access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
I am not sure the way checkpoint is configured.
Encryption domain at Checkpoint should be just reverse.
Ajay
02-02-2012 06:17 AM
Received encrypted packet with no matching SA, dropping
What cause this issue..
02-02-2012 06:49 AM
Most prob phase 2 failing.
02-02-2012 10:46 AM
The issue likely is on the Checkpoint end. Because checkpoint is NAT'ing everything behind 2.2.2.2 when going across the VPN tunnel, checkpoint needs to include both 2.2.2.2 and whatever is being NAT'ed to 2.2.2.2 as part of the encryption domain.
Easy right?
02-03-2012 09:30 AM
Hi ALL,
Yes Issue Was at Checkpoint End ,after gone through ASA Debug below logs indicates that Checkpoint is sending Proxy id as 0.0.0.0/0.0.0.0/0/0 So changed the tunnel mangemnt per subnet to per host ,there we go it works.
no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 1.1.1.0/255.255.255.0/0/0 on interface outside
Thanks all
04-19-2017 09:45 AM
Hello,
can anybody help me to understand if this can be implemented?
I am working on site-to site VPN all using ASA Firewall 5500 series but the peer IP I am using is the same for the two VPN connected,could you please help me to find the problem.
My colleague on remote site is using Diffie Hellman Group 2 and its the same to my part and he is using ASDM 7.6 me I am using ASDM 6.2 but when trying to ping I get the following Errors:
Phase 1 failure:Mismatched attribute types for class Group ,Description:Rcv'd:Group5 cfg'd:Group 2
We already have another tunnel running and the peer IP we would like to use are the ones used in the previous tunnel,
Phase 1Failure:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide