Cisco_vpn crypto_map issue

rgk013013 · ‎02-01-2012

Hi all ,

We had site to site VPN setup from Checkpoint to ASA 5505, Phase 1 is completing but not Phase 2 , below is the logs from ASA

IPs are modified

01 20:12:21 [IKEv1]: Group = 2.2.2.10, IP = 2.2.2.10, Rejecting IPSec tu

nnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 1.1.1.0/255.255.255.0/0/0 on interface outside

check, map = outside_map, seq = 2, ACL does not match proxy IDs src:0.0.0.0 dst:1.1.1.0

01 20:12:21 [IKEv1]: Group = 2.2.2.10, IP = 2.2.2.10, Rejecting IPSec tunel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local pr

oxy 1.1.1.0/255.255.255.0/0/0 on interface outside

checkpoint peer 2.2.2.10 and remote-network nat-ip 2.2.2.2

Cisco asa local network 1.1.1.0/24

accessing from checkpoint side all ip hide behind 2.2.2.2

configyaration below

access-list inside_nat0_outbound extended permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2
access-list out extended permit ip any any
access-list vpn extended permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2
access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
access-list inbound extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0
access-list ins extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ins in interface inside
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside 1.1.1.0 255.255.255.0 x.x.x.x

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address vpn
crypto map outside_map 2 set peer 2.2.2.10
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 2.2.2.10 type ipsec-l2l

tunnel-group 2.2.2.10 ipsec-attributes

pre-shared-key *

ajay chauhan · ‎02-01-2012

First this is not required .

access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0

2nd you see check checkpoint end as well.

Thanks

Ajay

rgk013013 · ‎02-02-2012

removed

access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0

[IKEv1]: IP = 2.2.2.10, Received encrypted packet with no matching SA, dropping

Cross checked configuration Phase 2 parameters looks fine at both end

3des,md5,3600seconds.. nat -t supports

syopt connection permit-vpn

any thing else need to check,

accessing from checkpoint side to asa side (1.1.1.0) don't we need below access-list at asa side,, all ip hide behind 2.2.2.2 at checkpoint

access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0

ajay chauhan · ‎02-02-2012

From ASA encryption domain would -

Local 1.1.1.0/24

Remote 2.2.2.2/32

So This is the only ACL required.

access-list vpn extended permit ip host 2.2.2.2 1.1.1.0 255.255.255.0

I am not sure the way checkpoint is configured.

Encryption domain at Checkpoint should be just reverse.

Ajay

rgk013013 · ‎02-02-2012

Received encrypted packet with no matching SA, dropping

What cause this issue..

ajay chauhan · ‎02-02-2012

Most prob phase 2 failing.

david.tran · ‎02-02-2012

The issue likely is on the Checkpoint end. Because checkpoint is NAT'ing everything behind 2.2.2.2 when going across the VPN tunnel, checkpoint needs to include both 2.2.2.2 and whatever is being NAT'ed to 2.2.2.2 as part of the encryption domain.

Easy right?

rgk013013 · ‎02-03-2012

Hi ALL,

Yes Issue Was at Checkpoint End ,after gone through ASA Debug below logs indicates that Checkpoint is sending Proxy id as 0.0.0.0/0.0.0.0/0/0 So changed the tunnel mangemnt per subnet to per host ,there we go it works.

no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 1.1.1.0/255.255.255.0/0/0 on interface outside

Thanks all

discuss120 · ‎04-19-2017

Hello,

can anybody help me to understand if this can be implemented?

I am working on site-to site VPN all using ASA Firewall 5500 series but the peer IP I am using is the same for the two VPN connected,could you please help me to find the problem.

My colleague on remote site is using Diffie Hellman Group 2 and its the same to my part and he is using ASDM 7.6 me I am using ASDM 6.2 but when trying to ping I get the following Errors:

Phase 1 failure:Mismatched attribute types for class Group ,Description:Rcv'd:Group5 cfg'd:Group 2

We already have another tunnel running and the peer IP we would like to use are the ones used in the previous tunnel,

Phase 1Failure: