https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51513#M10197 <P>Hi Guys,</P><P>I have tunnel set it up between R80.20 and PAN, Phase 1 is up and is mismatching encryption domains. For CP its 10.1.3.0/24 while at remote end is 10.1.6.0/24.</P><P>When I done the debug found that CP is sending it as 10.1.6.128/25 and that is the reason my tunnel is not coming up.</P><P>What could be the issue?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Apr 2019 14:46:28 GMT Blason_R 2019-04-22T14:46:28Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51513#M10197 <P>Hi Guys,</P><P>I have tunnel set it up between R80.20 and PAN, Phase 1 is up and is mismatching encryption domains. For CP its 10.1.3.0/24 while at remote end is 10.1.6.0/24.</P><P>When I done the debug found that CP is sending it as 10.1.6.128/25 and that is the reason my tunnel is not coming up.</P><P>What could be the issue?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Apr 2019 14:46:28 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51513#M10197 Blason_R 2019-04-22T14:46:28Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51515#M10198 <P>Hi,</P><P>Do you have your VPN Domain set up as based on Topology or a manually defined group?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Apr 2019 15:12:52 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51515#M10198 Jean_Rosario 2019-04-22T15:12:52Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51516#M10199 Most likely scenario #1 here: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600</A> Mon, 22 Apr 2019 15:39:31 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51516#M10199 PhoneBoy 2019-04-22T15:39:31Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51520#M10200 <P>nah, tried that already but didnt work.</P><P>&nbsp;</P> Mon, 22 Apr 2019 16:01:33 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51520#M10200 Blason_R 2019-04-22T16:01:33Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51521#M10201 Clearly this points to a configuration error on one side or another.<BR />How exactly do you have the encryption domain for the remote site defined<BR />By that I mean, the specific objects that make it up?<BR />What changes have you made to crypt.def and/or ike_use_largest_possible_subnets to support this? Mon, 22 Apr 2019 16:30:35 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51521#M10201 PhoneBoy 2019-04-22T16:30:35Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51620#M10222 <P>PAN firewalls use route-based VPNs by default, and will propose/expect 0.0.0.0/0's in Phase 2 unless manual Proxy-IDs are configured on the PAN side to mimic a domain-based VPN.&nbsp; Has that been done on the PAN?</P> <P>&nbsp;</P> Wed, 24 Apr 2019 02:00:07 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51620#M10222 Timothy_Hall 2019-04-24T02:00:07Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51622#M10223 <P>Let me see if that was the issue. Well, the funny thing is; the tunnel was working fine when the appliances were on R77.30 and it broke as soon as those are upgraded to R80.20.</P> Wed, 24 Apr 2019 03:46:48 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51622#M10223 Blason_R 2019-04-24T03:46:48Z https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51638#M10228 <P>Yep, that was the issue "<SPAN>ike_use_largest_possible_subnets" disabled it and from dbedit and it worked perfectly fine.</SPAN></P><P>Thanks for the help.</P> Wed, 24 Apr 2019 08:08:09 GMT https://community.checkpoint.com/t5/General-Topics/Encryption-domain-mismatch-even-though-its-set-it-up-correctly/m-p/51638#M10228 Blason_R 2019-04-24T08:08:09Z