topic Re: Partial overlapping encryption domains in SASE and Remote Access

Partial overlapping encryption domains

JoeBandura — Thu, 26 Mar 2026 12:26:51 GMT

Hey ya'll, hopefully this is an easy question to answer.

I have two sites that we'll call SITEA and SITEB that are physically remote, but directly connected via fiber. Both sites each have a R81.10 FW cluster that we'll call GWA at SITEA and GWB at SITEB that provides NAT and internet access at each site. SITEA also has an R81.10 management station that acts as logging and management for both GWA and GWB via their internal interfaces.

My plan is to configure the VPN blade on GWA and GWB and setup a site-to-site VPN between them. This would act as a redundant path in the event our fiber connection between the two sites goes down. Assume the routing details for this setup are taken care of.

I have since enabled the VPN blade on both GWA and GWB without configuring a VPN tunnel and installed policy. During/after policy installation, I have received this warning:

"The gateways GWA and GWB have partial overlapping encryption domains. Therefore, Endpoint Connect users will not support MEP configuration SecureRemote/SecureClient users will not be able to create site. If any of the GWs should not be exported to SR/SC. please remote it from the RemoteAccess community or uncheck the exportable for SR box. The overlapping domain include..."

I have read Scenario 1 of sk106837 which appears to be my situation. But, from my understanding, this won't seem to apply to me since I have no plans to use RemoteAccess or Secondary Connect. However, I would like to not see this message every time I install a policy since it may potentially mask other issues.

Any help is appreciated. Thank you.

Re: Partial overlapping encryption domains

simonemantovani — Thu, 26 Mar 2026 12:44:26 GMT

Hello

could you provide configuration for bot gateways? (configuration, topology, vpn communities, etc.) To better understand the topology of your sites.

Re: Partial overlapping encryption domains

JoeBandura — Thu, 26 Mar 2026 13:01:54 GMT

SITEA: 10.10.0.0/16
Management Station: 10.10.0.10

There is a router on the fiber connection to route traffic from SITEA to SITEB. Currently that's done with simple static routes, but will be changed.

SITEB: 10.20.0.0/16

GWA:
Internal - 10.10.0.1, Topology leads to - [Group with all internal networks of both SITEA & SITEB]
External - 1.2.3.4, Topology leads to - External (Internet)

GWB:
Internal - 10.20.0.1, Topology leads to - [Group with all internal networks of both SITEA & SITEB]
External - 4.3.2.1, Topology leads to - External (Internet)

After doing some reading, I am thinking I need to set a User Defined VPN Domain on both GWA and GWB under the gateway properties -> Network Management -> VPN Domain. Maybe specify the site specific network(s) for each gateway?

Re: Partial overlapping encryption domains

simonemantovani — Thu, 26 Mar 2026 12:59:46 GMT

The error could be related to the fact that both internal network are 10.10.x.x/16.

Yes, it's best to define the VPN domain for both gateway; pay attention, in both VPN domain you can't define 10.10.x.x with /16 subnet mask, because you'll have overlapping domains.

Re: Partial overlapping encryption domains

JoeBandura — Thu, 26 Mar 2026 13:02:48 GMT

Yeah, you're right. It's early and I haven't had coffee. I fixed the network addresses.

Re: Partial overlapping encryption domains

the_rock — Thu, 26 Mar 2026 13:07:55 GMT

If they have to overlap, then NAT would be required.

Re: Partial overlapping encryption domains

Martijn — Thu, 26 Mar 2026 13:37:44 GMT

Hi,

So traffic between site A and site B is going over the fiber connection and the sole purpose of the VPN is a backup in case the fiber connection has issues. Correct?

Instead of using domain based VPN, you can take a look at route based VPN for the VPN connection between both sites.
Have a routing protocol like OSPF in place to update routes in the network. In case there is an issue with the fiber connection, routes are updated with OSPF and traffic is send via the VPN connection.

No need for Encryption Domains (route based VPN uses an empty group).

Martijn

Re: Partial overlapping encryption domains

JoeBandura — Thu, 26 Mar 2026 13:34:09 GMT

Correct. VPN use case is only in the event the fiber goes down.

I will look at this. Thank you.