https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168295#M27996 <P>The VPN tunnel is working but the supernetting is not working as what I expected. The largest subnet 10.105.0.0/16 is defined inside the VPN domain but CheckPoint is supernet it to 10.105.0.0/17. Please correct me if I was wrong about the supernet</P> Thu, 19 Jan 2023 01:18:11 GMT JLo 2023-01-19T01:18:11Z https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168157#M27972 <P>Hi All,</P><P>&nbsp;</P><P>I have a question about the CheckPoint VPN domain supernetting feature. Recently my side have a VPN tunnel established between CheckPoint and Fortigate firewall.</P><P>- CheckPoint's VPN domains as below,</P><UL><LI><SPAN>10.100.0.0/16</SPAN></LI><LI><SPAN>10.102.0.0/16</SPAN></LI><LI><SPAN>10.103.0.0/16</SPAN></LI><LI><SPAN>10.104.0.0/16</SPAN></LI><LI><SPAN>10.105.0.0/16</SPAN></LI><LI><SPAN>10.105.53.0/24</SPAN></LI><LI><SPAN>10.105.205.0/24</SPAN></LI><LI><SPAN>10.106.201.0/28</SPAN></LI><LI><SPAN>10.106.216.0/24</SPAN></LI><LI><SPAN>10.104.19.44</SPAN></LI><LI><SPAN>10.104.21.161/32</SPAN></LI><LI><SPAN>10.104.86.119/32</SPAN></LI><LI><SPAN>10.104.88.142/32</SPAN></LI><LI><SPAN>10.104.92.80/32</SPAN></LI><LI><SPAN>10.104.95.83/32</SPAN></LI><LI><SPAN>10.104.180.26/32</SPAN></LI><LI><SPAN>10.105.12.59/32</SPAN></LI><LI><SPAN>10.105.16.10/32</SPAN></LI><LI><SPAN>10.105.33.37/32</SPAN></LI><LI><SPAN>10.105.53.7x/32</SPAN></LI><LI><SPAN>10.105.181.x/32</SPAN></LI><LI><SPAN>10.106.115.32/32</SPAN></LI></UL><P>- Fortigate VPN domain can found inside the attachment.</P><P>- I did vpn and ike debug on the CheckPoint gateway and found that the VPN domain superNet using <A href="http://10.105.0.0/17" target="_blank" rel="noopener">10.105.0.0/17</A></P><DIV class="">&nbsp;</DIV><P>My question is why&nbsp;&nbsp;<SPAN>CheckPoint chooses&nbsp;</SPAN><A href="http://10.105.0.0/17" target="_blank" rel="noopener">10.105.0.0/17</A><SPAN>&nbsp;and not the other segment to SuperNet</SPAN></P><DIV>1. Why do CheckPoint supernet to<SPAN>&nbsp;</SPAN><A href="http://10.105.0.0/17" target="_blank" rel="noopener">10.105.0.0/17</A><SPAN>&nbsp;</SPAN>(we do not define this as one of the Traffic Selectors on CheckPoint) and not the other segment such as</DIV><DIV>a.<SPAN>&nbsp;</SPAN><A href="http://10.105.0.0/16" target="_blank" rel="noopener">10.105.0.0/16</A><SPAN>&nbsp;</SPAN>(we defined this as one of the Traffic Selector)</DIV><DIV>b.<SPAN>&nbsp;</SPAN><A href="http://10.105.0.0/18" target="_blank" rel="noopener">10.105.0.0/18</A><SPAN>&nbsp;</SPAN>(we do not have this as one of the Traffic Selector)</DIV><DIV>c.<SPAN>&nbsp;</SPAN><A href="http://10.105.0.0/15" target="_blank" rel="noopener">10.105.0.0/15</A><SPAN>&nbsp;</SPAN>(we do not have have this as one of the Traffic Selector)</DIV><DIV>&nbsp;</DIV><DIV>Hope anyone can answer this. Thank you</DIV> Wed, 18 Jan 2023 04:09:13 GMT https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168157#M27972 JLo 2023-01-18T04:09:13Z https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168174#M27975 <P>Why your question about the why of supernetting ? Does the VPN tunnel work as expected or not ?</P> Wed, 18 Jan 2023 09:54:50 GMT https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168174#M27975 G_W_Albrecht 2023-01-18T09:54:50Z https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168252#M27985 <P>This doesn't seem like it's supernetting correctly since you explicitly list 10.105.0.0/16 in your Encryption Domain.<BR />It shouldn't even create a 10.105.0.0/17 route in this case.<BR />Recommend engaging with the TAC here.</P> Wed, 18 Jan 2023 16:43:24 GMT https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168252#M27985 PhoneBoy 2023-01-18T16:43:24Z https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168294#M27995 <P>I also thinking the supernetting is no working correctly. Will try engage with TAC first for this problem.</P> Thu, 19 Jan 2023 01:15:25 GMT https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168294#M27995 JLo 2023-01-19T01:15:25Z https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168295#M27996 <P>The VPN tunnel is working but the supernetting is not working as what I expected. The largest subnet 10.105.0.0/16 is defined inside the VPN domain but CheckPoint is supernet it to 10.105.0.0/17. Please correct me if I was wrong about the supernet</P> Thu, 19 Jan 2023 01:18:11 GMT https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/168295#M27996 JLo 2023-01-19T01:18:11Z https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/173360#M28938 <P>Did TAC help to resolve this ?</P> Thu, 02 Mar 2023 13:16:06 GMT https://community.checkpoint.com/t5/General-Topics/CheckPoint-VPN-Domain-Supernetting-Questions/m-p/173360#M28938 G_W_Albrecht 2023-03-02T13:16:06Z