topic Re: Encryption Domains that are External IPs in Spark Firewall (SMB)

Encryption Domains that are External IPs

sx8n20394 — Fri, 28 Feb 2025 07:31:03 GMT

Appliance : Locally Managed QS 1535

Firmware r81.10.10

I need to setup a S2S VPN with a customer. They have a requirement that all encryption domains are WAN IP addresses. I have a range of 5 addresses but only 1 is used which is the WAN interface of my firewall. Do I just tell them my peer and encryption domains are x.x.x.x/32 (same IP)? Also, can I safely assume I should uncheck disable NAT in the site tunnel settings?

Re: Encryption Domains that are External IPs

PhoneBoy — Fri, 28 Feb 2025 16:48:00 GMT

Sounds like the right answer on both counts.
Note that your local Encryption Domain should include the hosts that you want to communicate through the VPN.

Re: Encryption Domains that are External IPs

the_rock — Fri, 28 Feb 2025 17:38:31 GMT

If NAT is needed, then dont check disable nat inside vpn community object.

Andy

Re: Encryption Domains that are External IPs

sx8n20394 — Fri, 28 Feb 2025 18:32:07 GMT

The network is simple. I have my WAN IP (lets call it 99.1.1.1) and a simple 192.168.1.0/24 local network. I am used to setting up VPNs where the encryption domains are local IP subnets. In this case the vendor will not allow local IPs in my encryption domain, they have to be WAN IPs. In my case, we only utilize 1 WAN IP. I will just go ahead and tell them to use my WAN IP (ex. 99.1.1.1) as the peer and encryption domain and see what happens.

Re: Encryption Domains that are External IPs

the_rock — Sat, 01 Mar 2025 00:13:10 GMT

Also, dont check option to exclude external IP from vpn domain, its on vpn domain tab under topology or network (cant remember now exactly) when you edit gw object in smart console.

Andy

Re: Encryption Domains that are External IPs

PhoneBoy — Thu, 06 Mar 2025 23:32:48 GMT

The local Encryption Domain tells the gateway what traffic to encrypt and must include hosts you wish to traverse the VPN.
As long as you've enabled NAT is enabled in the VPN configuration (i.e. untick the relevant box), the remote end can use the public IP only as your encryption domain.

Re: Encryption Domains that are External IPs

sx8n20394 — Fri, 07 Mar 2025 03:48:39 GMT

Thanks for the advice but it still doesn't work. The tunnel actually came up at one point but then went down after IPSEC Phase 2 rekeyed after 60 minutes. I then got the same error Traffic Selectors Unacceptable again.

Re: Encryption Domains that are External IPs

sx8n20394 — Fri, 07 Mar 2025 03:49:09 GMT

Unfortunately this is just a locally managed device with no smart console.

Re: Encryption Domains that are External IPs

the_rock — Fri, 07 Mar 2025 03:55:07 GMT

I suggest involving TAC.

Andy

Re: Encryption Domains that are External IPs

Duane_Toler — Fri, 07 Mar 2025 04:49:49 GMT

In addition to everyone else's comments, you also need to include the original hosts inside your network (this is needed to trigger the VPN negotiation). Verify the NAT policy also will contain appropriate rules for the inside hosts to have NAT applied (you could also NAT the internal hosts to another external host other than your gateway's own IP, if you wanted). The original 192.168.1.x hosts AND the NAT IP needs to be in your VPN domain for your side. The remote side only needs your NAT IP.

This is what's causing your rekey to fail after 60 minutes.

Re: Encryption Domains that are External IPs

sx8n20394 — Fri, 07 Mar 2025 05:32:26 GMT

I did. I have had 2 different cases opened (including 1 currently open) and haven't gotten any solid answers or solutions. The situation is now critical because this is for a client. I will just hold my breath and hope something good happens.

Re: Encryption Domains that are External IPs

sx8n20394 — Fri, 07 Mar 2025 05:34:50 GMT

I just let the Checkpoint select the local domain automatically so I would assume it is doing that. Also, I am afraid of changing the local encryption domain globally (locally managed, no smart-1) and not being able to setup future S2S VPNs. Note, I did change it globally to manually managed and still no luck.