I tried in vain yesterday to build a PIX site-to-site VPN to a 3rd Party who have a Checkpoint FW1.
I believe I know the issue as the debug cry ipsec sa gave me a 'proxy identities not supported'. A quick google suggests this is a mismatched ACL, however, I only have 1 x entry in my crypto ACL on the PIX so I guess it's how the Checkpoint represents that same.
The PC behind the Checkpoint initiates the VPN. It uses a NAT address on the outside of the Checkpoint (not the Checkpoint peer IP). When attempting to connect to the AS400 it does so on a public translatable static address.So in my crypto ACL I have 1 x line for return traffic from the AS400 as follows:
access-list blah host (static public IP of AS400) host (nat address of PC) etc.
The crypto map is between the outside public IP's of the 2 x firewalls and references access-list blah. NB IPSEC Phase 1 completes OK.
A colleague has suggested that the Checkpoint may 'tag on' another entry in it's equivalent crypto list, namely it's peer IP address to my static IP for the AS400. Originally I actually thought this was something to do with NAT-T - It isn't in the PIX config anywhere and I don't know if it is supported out of the box on the Checkpoint.
Anyone seen anything like this before. Apparently it happens quite a lot between these 2. The Checkpoint people have told me they only have 1 x permit allowing their private hosts (10.2.X.X /16) to use the NAT. This is different to how the PIX does it as it is public to public.