![Site-tosite Site-tosite](/uploads/1/2/5/3/125381643/965245010.jpg)
![Cisco Cisco](/uploads/1/2/5/3/125381643/361198893.png)
Unfortunately, we could not find the way to setup site-to-site VPN between Cisco ASA firewall and Sophos XG210. Crypto map outsidemap2 2 set nat-t-disable. Sent 17853, this log line states that there is a policy mismatch on either end.
As a quick test, try setting VPN Tunnel Sharing to 'pair of hosts' in the Community settings and reinstalling policy. If A can now initiate to B it is definitely a subnet/Proxy-ID/encryption domain issue in IKE Phase 2. However just because this setting makes it work DOES NOT mean you should just leave it set to that and call it good, as this setting can result in a very large number of Phase2/IPSec tunnels being formed. Set it back to 'pair of subnets' then take a look at Scenario 1 in the SK Phoneboy posted.-Second Edition of my 'Max Power' Firewall BookNow Available at. Can't count how many times, especially CP vs Cisco ASA this fixed the problem - changing from 'tunnel per subnet' to 'tunnel per hosts'. The drawback is it does create lots of tunnels this way loading the firewall.And by the way I saw it happening just out of the blue - no config changes on either side, encryption domains match 1 to 1, still either one direction of VPN stops working, or even some specific hosts in the same network get dropped.PS For advocates of 'it is a hack!' , 'quick fixes are bad', 'you should debug the issue, recompile the firewall code, fix the bug' - (if you come from another planet) in the capitalism, who pays the money decides what is good for him/her, and when presented with either quick fix or fundamental/taking from hours to days debug the client still wants 'quick-fix' - you do what the client asks.
Some things to considere:- Check Point VPN-1 can supernet networks and this is not accepted by most other parties. (Documented in Secure Knowledge)- Cisco ASA can accept things in phase 2 which are not right on initial contact but refuse them later on when it is time to rekey. (Thanks for Cisco TAC engineer for sharing that gold nugget of wisdom as it is not documented.)While none of these may apply it is good to understand that every vendor has it's little features to make troubleshooting interesting.