topic IKE IDs is smaller than Encryption Domain definition in Firewall and Security Management

IKE IDs is smaller than Encryption Domain definition

CheckPointerXL — Sat, 25 Jun 2022 10:59:47 GMT

Hi all,

very small setup:

S2S VPN Domain based, my enc domain has only 10.10.0.0/16,

Anyway, what i found by vpn tu is that my ike id is 10.10.0.0/17.

Trying to connect to a host inside 10.10.128.0/17, I get a new IKE id with a /32 on my side, this is related to the host IP of course.

I checked all my communities, but it seems that this behavior is not linked to sk170857.

So, why this happens?

Maybe some NAT rule inside 10.10.128.0/17 is breaking the subnet because of the natted IP which is not in peer's enc domain?

thanks a lot

the_rock — Sat, 25 Jun 2022 11:05:46 GMT

Go to guidbedit and search for supernet, ike_use...cant remember exact values now, but may have to do with those.

CheckPointerXL — Sat, 25 Jun 2022 11:09:33 GMT

do you mean ike_use_largest_possible_subnets ?

It seems that i'm facing the opposite problem...

the_rock — Sat, 25 Jun 2022 11:11:50 GMT

Yes, that, but also any supernet setting, turn it to false.

Vladimir — Sat, 25 Jun 2022 20:04:19 GMT

Check the VPN community settings to see if it is configured "per pair of hosts".

CheckPointerXL — Sat, 25 Jun 2022 22:15:01 GMT

Hello Vladimir,

Thank you for your feedback.

Of course is configured "per subnet pair", domain based setup.

Next hours i will check for previous mentioned dnguiedt value