topic Re: IPsec VPN with both gateways in the same subnet in Firewall and Security Management

IPsec VPN with both gateways in the same subnet

MattGo — Fri, 17 Oct 2025 09:12:45 GMT

Hello everyone, does anyone know if it is possible to configure a site-to-site VPN between two Check Point R81.20 gateways that are within the same subnet? The client has two data centres linked at layer 2 and want an encrypted tunnel, but at layer 3 it's the same subnet, with one gateway at either end of the link. Unfortunately I do not have sight of the configuration as it's in a secure environment but it seems that the tunnel is not coming up and I was wondering if it is simply never going to work without other changes (e.g. using different subnets) or whether to continue diagnostics work. Thanks.

Re: IPsec VPN with both gateways in the same subnet

the_rock — Fri, 17 Oct 2025 09:32:17 GMT

Yup...just assign empty group as enc. domain on both fws.

Re: IPsec VPN with both gateways in the same subnet

Wolfgang — Fri, 17 Oct 2025 12:45:12 GMT

I believe not. To send the traffic encrypted from one site to another your gateways must work as Layer 3 routing device.

If your datacenter is connected via Layer 2, why not using encryption features of the Layer 2 devices like MACSec?

Or as an idea you can create a VXLAN tunnel for your Layer 2 subnet see sk170014 - Virtual Extensible LAN (VXLAN) Configuration Guide

Re: IPsec VPN with both gateways in the same subnet

the_rock — Fri, 17 Oct 2025 16:11:44 GMT

Im fairly sure we got this working before the way I mentioned.

Re: IPsec VPN with both gateways in the same subnet

Bob_Zimmerman — Fri, 17 Oct 2025 16:50:46 GMT

As in a collection of networks behind one firewall, a different collection of networks behind the other firewall, and the two firewalls are connected with no routers between them? Works fine. VPN termination functionality is just traffic which rides on top of routing functionality. If they can ping each other, they can negotiate IKE and IPSec.

If the networks behind each firewall overlap, it won't work, but that has nothing to do with the topology of the environment between them.

Re: IPsec VPN with both gateways in the same subnet

the_rock — Fri, 17 Oct 2025 18:25:33 GMT

True that!

Re: IPsec VPN with both gateways in the same subnet

MattGo — Tue, 21 Oct 2025 08:19:49 GMT

Thank you for all your comments - looks like more diagnosis on the underlying issue is required.

Re: IPsec VPN with both gateways in the same subnet

the_rock — Mon, 27 Oct 2025 01:52:05 GMT

Let us know how it gets solved...cheers.

Re: IPsec VPN with both gateways in the same subnet

MarcuzShinz — Fri, 31 Oct 2025 03:34:26 GMT

If you configure S2S and both sites have the same subnet, you need to add a NAT rule to translate both your local subnet and the remote subnet on the other site.

Description below:
In the Communities settings, you still define the actual local and remote subnets. Then, you need to create two different subnets for the NAT configuration.

At this point, both sites must allow firewall rules for those NAT subnets instead of allowing the real subnets.
After doing so, each site will only see the other’s NAT subnet, not the real IPs.

Re: IPsec VPN with both gateways in the same subnet

Bob_Zimmerman — Fri, 31 Oct 2025 14:21:15 GMT

That's correct if the gateways have the same subnet behind them. That doesn't sound like what's going on here. This environment sounds like a normal VPN topology, except instead of the Internet with a bunch of routers between the firewalls, it's a switched path (or a pseudowire or something similar).