We have a site to site VPN setup that was allowing one IP. On the ipsec tunnel sec proxy-id allow local (10.1.2.1/32) which was working just fine.
We had to recently allow two more IP's 10.1.2.20 and 10.1.2.75. I Changed the ipsec tunnel sec proxy-id local to 10.1.2.0/32 to allow a range. When we made this change the VPN is enabled, but we are seeing the following error from the external site trying to access these IP's.
'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 10.1.2.75/32 type IPv4_address protocol 0 port 0, received remote id: 10.x.x.x/22 type IPv4_subnet protocol 0 port 0."ot see a matching encryption"
For some reason now the connection does not see a matching encryption? Any ideas where to pinpoint this issue? I checked our crypto setting to make sure they match on the other end. The user connecting is on a cisco firewall. Before these changes one thing I had to do was set no-pfs on the DH-Group. I'm wondering since this is a range and not a single IP is this different now?
Solved! Go to Solution.