[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1374
  • Last Modified:

VPN through VPN tunneling

Hi,
I'm trying to reach my remote production network connecting in this fashion:
SSLVPN -> Checkpoint (UTM) -> VPN Tunnel ("Lan link") -> Cisco ASA -> Remote Network.

Error message Checkpoint: "Encryption fail reason: Packet is dropped because there is no valid SA".
Error message Cisco: "Rejecting IPsec tunnel: No matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0 local proxy 195.159.X.X/X.X.X.X on interface link.
And: QM FSM error (P2 struct ......)

It seems like my VPN network is not being identified correctly?

The VPN tunnel is working fine for all other local networks.  The VPN network which is 172.31.200.0/24 is basically just an IP pool, and has no interface on the Checkpoint firewall.

Funny thing is i have an identical link to a production environment in sweden with the same hardware and settings, and it works.  Only difference is that the link is over the internet.
0
olemrefv
Asked:
olemrefv
  • 2
2 Solutions
 
pgolding00Commented:
the problem is the asa and checkpoint dont believe they should be tunneling with each other. in the asa, do you have a config line something like this:
crypto map name # set peer <ip of checkpoint>
0
 
QlemoC++ DeveloperCommented:
The Checkpoint is not using the proper P2 SA settings, in particular the remote proxy ID is wrong (some public IP, instead of some private one). Check if the existing P2 proxy setting includes the (virtual) VPN IPs of 172.31.200.0/24.
0
 
olemrefvAuthor Commented:
I fixed the problem by having my firewall open a connection for each host, and not the entire subnet.
0
 
QlemoC++ DeveloperCommented:
That is a awkward workaround. You should be able to open the network by just widen the netmask for your rules.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now