This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2022-02-09 12:40 PM

R81.10 VPN encryption domain override

Hi,

 

I have used the encryption domain override on both the center and remote gateways in two different vpns on two r81.10 gateways. Everything worked fine to my Cisco router on the other end with matching encryption domains (I am using mainly /32 host addresses).

 

However I then noticed something was not right, when I tried to send traffic in the other direction, sourced from behind checkpoint to the far end it did not work, in the checkpoint logs it said no SA has been established, although there was a matching SA for these host pairs as I could run the same traffic in the opposite direction without issue.

I turned debugging on the Cisco phase 2 and found the checkpoint was trying to propose a  /16 mask for the local network address which is in the gateways encryption domain, the /16 was not in the override, I tested by temporarily adding a /16 to the enc domain on the cisco side and guess what it worked.

 

Is there any reason why checkpoint would not use its override domain for outgoing traffic?

Labels
0 Kudos
5 Replies
Marcel_Gramalla
Advisor
‎2022-02-09 01:53 PM

Hi,

unfortunately you can't use this feature in that scenario. The override only works correctly if you select a host/network that is in the regular encryption domain. So if you have a /16 subnet in that you can only use that in the override. 

This makes this feature useless for us. Look at this sk: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

You can achieve that only with manually editing the user.DEF accordingly.

0 Kudos
(1)
Ryan_Ryan
Advisor
‎2022-02-09 03:22 PM
In response to Marcel_Gramalla

thank you for that. yes agreed that feature is not really at all useful as it sounded like it would be!

I would just add the /32 to the gateway encryption domain aswell but knowing the way checkpoint treats subnet masks it could cause issues with all our existing vpns.

 

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-02-09 05:13 PM
In response to Ryan_Ryan

Do you have correct vpn domains configured as per different vpn communities? Yes, you can have certain vpn domain configured on your gateway (cluster) object, but different domains can be used for different vpn tunnels. 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ryan_Ryan
Advisor
‎2022-02-09 07:37 PM
In response to the_rock

Yes that is what I have done, the gateway has an encryption domain 10.0.0.0/16 in it, but for this specific community I have used a group containing 10.0.10.10/32. But the phase 2 proposal still comes as /16 from the checkpoint

 

if you are meaning have I defined it using the user.def file then no I haven't used that method. 

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-02-09 08:19 PM
In response to Ryan_Ryan

K, I get what you are saying. Yea, that might be a bit tricky, since /32 is just single host, so it would not override. I believe @Marcel_Gramalla is correct, you may have to manually modify that in user.def file. I know with customer I worked with before, they never had this sort of problem, but then they did not use anything but subnets and Im pretty certain that any subnets they did end up using to override, were in fact part of original gateway encryption domain. See, all this comes from ages ago where it was always the case that CP would use largest possible subnet.

Maybe check settings I attached to make sure they are correct, that could be an issue. If they are not set to false, set them in guidbedit, save, push policy and then try again.

Andy

Best,
Andy
"Have a great day and if its not, change it"
Preview file
418 KB
Preview file
236 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events