I tried in vain yesterday to build a PIX site-to-site VPN to a 3rd Party who
have a Checkpoint FW1.
I believe I know the issue as the debug cry ipsec sa gave me a 'proxy
identities not supported'. A quick google suggests this is a mismatched ACL,
however, I only have 1 x entry in my crypto ACL on the PIX so I guess it's
how the Checkpoint represents that same.
The PC behind the Checkpoint initiates the VPN. It uses a NAT address on the
outside of the Checkpoint (not the Checkpoint peer IP). When attempting to
connect to the AS400 it does so on a public translatable static address.So
in my crypto ACL I have 1 x line for return traffic from the AS400 as
access-list blah host (static public IP of AS400) host (nat address of PC)
The crypto map is between the outside public IP's of the 2 x firewalls and
references access-list blah. NB IPSEC Phase 1 completes OK.
A colleague has suggested that the Checkpoint may 'tag on' another entry in
it's equivalent crypto list, namely it's peer IP address to my static IP for
the AS400. Originally I actually thought this was something to do with
NAT-T - It isn't in the PIX config anywhere and I don't know if it is
supported out of the box on the Checkpoint.
Anyone seen anything like this before. Apparently it happens quite a lot
between these 2. The Checkpoint people have told me they only have 1 x
permit allowing their private hosts (10.2.X.X /16) to use the NAT. This is
different to how the PIX does it as it is public to public.