VPN Site-2-Site on alias interface

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hello
Please help me solve the problem. The situation is as follows. We need to install a VPN between two locations, on our side a checkpoint and on the other side cisco Firepower (FTD), external / public addresses (example)
PUB 1.1.1.1 255.255.255.0 (eth1) from our side
PUB 2.2.2.2 255.255.255.255 from cisco Firepower side
We have an internal server for which we need to provide communication 192.168.10.26 / 24, but as an internal LAN network for VPN we cannot select it, we need to select the address PUB-1.1.1.2 / 32 as the internal network
From the side of cisco Firepower, the LAN network is also from the category of public addresses, conventionally 3.3.3.3/32

Thus, my settings are as follows:
1.I set an alias on eth1 interface, it turns out eth1: 1 - 1.1.1.2 / 24
2. I configure NAT - if 192.168.10.26 goes to 3.3.3.3 then NAT to 1.1.1.2
3. I create a VPN community, in which I set the encryption, PSK key, set the parameter allowing NAT, for our GW 1.1.1.1 I set up the VPN domain in which there are 192.168.10.26 and 1.1.1.2, I set up the VPN domain for the other side which is 3.3.3.3. Install Tunnel Management in Community in One Tunnel Per Gateway Pair
4 making rules
1.1.1.1 to 2.2.2.2 - Allow
2.2.2.2 to 1.1.1.1 - Allow
192.168.10.26 to 3.3.3.3 - allow
3.3.3.3 to 192.168.10.26 - allow
1.1.1.2 to 3.3.3.3 - allow + community VPN
3.3.3.3 to 1.1.1.2 - allow + community VPN
5. Configuring the "user.def" file
subnet_for_range_and_peer = {
<2.2.2.2, 1.1.1.2, 1.1.1.2; 255.255.255.255>
};

I check if the tunnel is established and the first and second phases, from the 3.3.3.3 server to the 192.168.10.26 server, traffic is going, I see it through Wireshark to 192.168.10.26
But traffic does not go from 192.168.10.26 to 3.3.3.3. In the logs, I see that the traffic reached the GW checkpoint, passed NAT, fell under the rule "From 192.168.10.26 to 3.3.3.3 - allow" and then went to the VPN tunnel.
Return message: Reject:
Child SA exchange: Received notification from peer: No proposal chosen MyMethods Phase2: AES-256 + HMAC-SHA2-256, No IPComp, No ESN, Group 14
We checked the encryption settings, they all match, and if the encryption did not match, would the packets come to my server from a remote server.
Could you please tell me where I could have gone wrong.?