topic Re: Remote Access encryption domain in General Topics

Remote Access encryption domain

D_TK — Sat, 06 Feb 2021 20:24:56 GMT

Good Day everyone. Added to the encryption domain group object for the first time in years, and seeing weird behavior. Prior to my change, the group has a slew of /24 networks, and /32 hosts configed - no issue. Added a few /24 networks, and I'm seeing them carved up - 192.168.26.0 /24 is an example - here's what i get in my routing table after i connect via CP Mobile:

192.168.26.0         255.255.255.255      172.27.253.253      172.27.253.254 1
192.168.26.4         255.255.255.252    172.27.253.253       172.27.253.254 1
192.168.26.8         255.255.255.248      172.27.253.253       172.27.253.254 1
192.168.26.16       255.255.255.240      172.27.253.253       172.27.253.254 1
192.168.26.32       255.255.255.224      172.27.253.253      172.27.253.254 1
192.168.26.64       255.255.255.192      172.27.253.253      172.27.253.254 1
192.168.26.128     255.255.255.128      172.27.253.253       172.27.253.254 1

I've set "enable_supernet_per_community" to both 0 & 1, neither helped. Clearly i'm missing something.

Any guidance would be greatly appreciated.

thanks

Re: Remote Access encryption domain

PhoneBoy — Sat, 06 Feb 2021 21:54:51 GMT

Are there IPs in use on either the client or gateway that overlap with these subjects?

Re: Remote Access encryption domain

the_rock — Sat, 06 Feb 2021 22:34:53 GMT

Phoneboy makes a good point...overlapping domains.

Re: Remote Access encryption domain

D_TK — Sat, 06 Feb 2021 23:43:02 GMT

Thank you both for your replies, much appreciated.

I wasn't receiving the policy push warning about overlapping domains, but when i ran "vpn overlap_encdom" on the gateway, i saw that there is quite a few.

Here is the layout - I have (8) internal sites that all participate in a meshed community. Each of them have their locally connected networks as their encryption domain. I also have the gateway serving as the public facing remote access concentrator, this gateway is not part of the mesh community - this gateway has for its encryption domain every network at every location it can see (including its own locally connected networks). So...when i ran the "vpn overlap_encdom" command - it had entries for every location. Is there a correct way to resolve this?

All versions are 80.40 hfa91

thanks.

Re: Remote Access encryption domain

the_rock — Sun, 07 Feb 2021 00:45:28 GMT

Check below...not sure if it applies, but I would need to see it on remote session if you are willing to show me the exact issue...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25675

Andy