topic Re: Site-to-Site VPN with overlap subnets between communities in Firewall and Security Management

Site-to-Site VPN with overlap subnets between communities

IT_Eng — Mon, 15 Aug 2022 16:26:36 GMT

Hello Mates,

We have an existing community with a tunnel to Palo Alto A with subnet 10.16.0.0/15 behind it.

We need to create a new tunnel in a different community to a Palo Alto B with a subnet of 10.16.100.0/24.

The tunnel to tunnel B is not even initiating IKE, all the traffic is going to the existing tunnel to Palo Alto A.

I know that the proper subset (as called by Checkpoint) is not supported in general, but is it not clear which side the proper subset is referred to.

The only option I see is a route-based VPN for the new tunnel. But I thought I will ask here before if there is something different to try.

SMS and gateway os R81.10

Re: Site-to-Site VPN with overlap subnets between communities

PhoneBoy — Wed, 17 Aug 2022 17:54:18 GMT

You'd have to define the encryption domains without overlaps for this to work correctly, I suspect.
If that's not possible, it does probably mean moving to route-based VPNs.

Re: Site-to-Site VPN with overlap subnets between communities

IT_Eng — Thu, 18 Aug 2022 08:36:30 GMT

Thanks for the answer.

So I've already tried route-based in the meantime, without success. But, it was configured only on tunnel B so I presume this was the reason that it didn't work.

Any other suggestions? I'm trying PBR as I write this comment.

Re: Site-to-Site VPN with overlap subnets between communities

PhoneBoy — Thu, 18 Aug 2022 15:26:13 GMT

Mixing route and domain based VPNs has some limitations: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109340&partition=Advanced&product=IPSec
Namely that domain based VPNs take precedence over route-based VPNs, which is exactly what you're experience here.
PBR probably won't work as I believe domain-based VPNs take priority.

Re: Site-to-Site VPN with overlap subnets between communities

IT_Eng — Sun, 21 Aug 2022 13:45:53 GMT

Thanks for your answers!

Re: Site-to-Site VPN with overlap subnets between communities

motip — Tue, 23 Aug 2022 14:21:19 GMT

A possible solution may be for the 3rd-party to Statically NAT the overlapping subnet to another subnet that doesn't collide with either their internal subnets or CP VPN domains (probably for the peer having 10.16.100.0/24). From CP side you'll need to define the NAT subnet as part of the peer's encryption domain and remove the overlap section from it.