I'm experiencing a strange issue with a site-to-site VPN that I've set up between our corporate cluster (15000 appliance - R80.40 T125) and a Cisco ASA (unfortunately I don't have any OS/version info of the peer gateway).
If I configure the tunnel as a permanent tunnel, phase 1 negotiates fine, however the phase 2 exchange fails with the following error: Auth exchange: Received notification from peer: Traffic selectors unacceptable MyTSi: <X.X.X.X> MyTSr: <Y.Y.Y.Y>. If I disable the permanent tunnel, phase 1 & 2 negotiates perfectly. The IPSEC renegotiation is every 8 hours. I left a continuous ping running to keep the tunnel up until renegotiation and it re-keyed perfectly.
Is there a known issue with permanent tunnels between Check Point and Cisco ASA's (or other 3rd parties)?
Some of the things I've tried:
Adding the peer & ranges into the user.def.FW1 file on the Mgmt Server
Changing the keepalive parameter in GuiDBedit to "dpd" instead of "tunnel_test"
Confirmed all IKE phase 1 & 2 parameters match on both sides, as well as our encryption domains/their crypomaps.
NB - I am unable to test/use IKEv1 as the 3rd party company's security policy prohibits the use of this protocol.
Any help/suggestions would be much appreciated.