https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223548#M42876 <P>Hi Dameon,</P><P>I set one per subnet pair, which caused it to send two traffic selector pairs, host-to-host with protocol ICMP, and universal. Exactly the behaviour I saw with per-Gateway pair.</P><P>&nbsp;</P> Tue, 13 Aug 2024 22:55:28 GMT stallwoodj 2024-08-13T22:55:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223516#M42865 <P>Hi,</P><P>We have an inherited Juniper firewall which we are planning to migrate to Check Point.&nbsp;</P><P>Some of the tunnels that are established have a local traffic selector of 192.168.x.0/24 and a remote selector 0.0.0.0/0. And one has them the other way round with a local domain 0/0 and a remote domain 172.x.x.0/24</P><P>I've tried the standard route-based VPN method (in R81.10 lab back-to-back with an SRX), having set the default VPN topology as an empty group, creating VTIs and static routes, and overriding the local or remote topology to specific subnet on a per-VPN basis.</P><P>The SRX happily comes up and negotiates its IKEv2 with an initial traffic selector &lt;0.0.0.0/0&gt;-&lt;192.168.x.0/24&gt;, great. However, as soon as I attempt to push traffic, the Check Point tries negotiate a new child SA with &lt;0.0.0.0/0&gt;-&lt;0.0.0.0/0&gt; which the SRX rejects "Traffic selectors unacceptable". The attempt was seen in iked.elg and the traffic captured in legacy_ikev2.xmll.</P><P>I tried to override this with subnet_for_range_and_peer but it had no affect on the issue.</P><P>So, is it / will it ever be possible to use route-based VPN without being forced to use Universal Tunnel at both ends? Currently I'm forced to get the 3rd party peers to change their traffic selectors which is annoying <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Thanks</P><P>Jamie</P> Tue, 13 Aug 2024 14:56:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223516#M42865 stallwoodj 2024-08-13T14:56:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223539#M42870 <P>What's the setting in the VPN Community?<BR />One Tunnel per Community would result in the 0.0.0.0/0 selector.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27229i28391FDAFF49DF8F/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Tue, 13 Aug 2024 17:54:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223539#M42870 PhoneBoy 2024-08-13T17:54:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223548#M42876 <P>Hi Dameon,</P><P>I set one per subnet pair, which caused it to send two traffic selector pairs, host-to-host with protocol ICMP, and universal. Exactly the behaviour I saw with per-Gateway pair.</P><P>&nbsp;</P> Tue, 13 Aug 2024 22:55:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223548#M42876 stallwoodj 2024-08-13T22:55:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223551#M42879 <P>I'm trying to find something other than this community thread that confirms this is expected behavior:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/Route-based-VPN-Proxy-ID-0-0-0-0-0/m-p/55192#M11025" target="_blank">https://community.checkpoint.com/t5/General-Topics/Route-based-VPN-Proxy-ID-0-0-0-0-0/m-p/55192#M11025</A>&nbsp;<BR />Maybe you can change this with the "Before R77.20" version of Option 1 here:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk108600" target="_blank">https://support.checkpoint.com/results/sk/sk108600</A><BR />Otherwise, I suspect this is an RFE.</P> Wed, 14 Aug 2024 01:05:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223551#M42879 PhoneBoy 2024-08-14T01:05:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223592#M42887 <P>Thanks, I've raised the RFE!</P> Wed, 14 Aug 2024 08:00:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mixing-Universal-Tunnel-and-specific-topologies/m-p/223592#M42887 stallwoodj 2024-08-14T08:00:47Z