I am trying to form a VPN tunnel between a Cisco ASA 5540 and a third party managed Checkpoint firewall. Since I cannot see the config on the Checkpoint, I am hoping that someone can perhaps point me in the right direction.
Phase 1 completes between the two firewalls but Phase 2 initiates and dies. To my knowledge it looks like an encryption domain issue, but the 3rd party assures me that they have the correct subnets configured.
When I try to initiate a tunnel I receive the following messages:
Group = 188.8.131.52, IP = 184.108.40.206 PHASE 1 COMPLETED
Group = 220.127.116.11, IP = 18.104.22.168 , received non-routine Notify Message: Invalid ID (18)
Group = 22.214.171.124, IP = 126.96.36.199, QM FSM error (P2 struct..........)
Group = 188.8.131.52, IP = 184.108.40.206, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Group = 220.127.116.11, IP = 18.104.22.168, Removing Peer from correlator table failed, no match!
If anyone has had any experience with Cisco to Checkpoint VPN, it seems checkpoint also have an option to specify tunnel types [one vpn per host pair] or [one vpn tunnel per subnet pair] - not sure which one the 3rd party should be using.