topic Re: R80.40 Custom VPN Domain not working as expected in Firewall and Security Management

R80.40 Custom VPN Domain not working as expected

Christoph — Fri, 18 Sep 2020 12:39:04 GMT

Hi,

running R80.40 latest T78 and yesterday had an issue with a new VPN site.

I'm using the newly introduced custom VPN Domains, which allows for only specific encryption domain advertisements to the partner site, so I thought.

Setup:

Network: 172.16.0.0/16

Default VPN Domain: Multitude of networks, including 172.16.0.0/17 not including 172.16.100.0/24

Custom VPN Domain configured: 172.16.100.0/24 as a network object. This object is standalone and not used anywhere else.

The default VPN Domain does not include the network 172.16.100.0/24 object.

VPN tunnel sharing is set to: by subnet

Q2 proposal fails: We are offering 172.16.0.0/17, if a hosts from our side initiates the tunnel. Expected behavior, imho would be to have 172.16.100.0/24 proposed as our encryption domain.

Adding 172.16.100.0/24 to the default VPN domain fixes this issue.

So just to be clear, this custom VPN domain is only a "filter" and not an explicit "setting", or am I missing something?

Cheers

Christoph

Edit: Formating

Re: R80.40 Custom VPN Domain not working as expected

Nik_Bloemers — Fri, 18 Sep 2020 07:09:54 GMT

I noticed some weirdness with this as well. I was hoping this would be a more elegant solution for user.def changes, but sadly it doesn't appear to work this way.

Re: R80.40 Custom VPN Domain not working as expected

Andreas_Aust — Fri, 18 Sep 2020 12:22:48 GMT

Could someone from Check Point shed some light on this issue?

Re: R80.40 Custom VPN Domain not working as expected

PhoneBoy — Sun, 20 Sep 2020 21:59:21 GMT

This sounds like a bug and the TAC should be involved.
Are the gateways also R80.40 as well in this case?

Re: R80.40 Custom VPN Domain not working as expected

Christoph — Mon, 21 Sep 2020 06:15:33 GMT

Yes, everything is R80.40 Take78. This is a migration project. There are other observations concerning this issue, with three working tunnels, where the custom VPN domain looked like it worked, there were no complains, maybe it wasn't used. Hard to tell now, as we put the faulting net in the default vpn domain.

Re: R80.40 Custom VPN Domain not working as expected

Benedikt_Weissl — Mon, 21 Sep 2020 09:26:19 GMT

Does it work if you configure it according to sk108600 scenario 1?

Do you see any output if you run"fw tab -t subnet_for_range_and_peer" in expert mode?