cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Rob_Bush
Ivory

VPN to 3rd parties with large subnets

Greetings all,

 

We currently have VPN's with our sister companies (3rd party firewalls.)  Our network is growing fast and our defined networks in the VPN Domain of the Checkpoint gateways continues to increase, which means we must constantly communicate with the 3rd parties to ask them to add yet another network to the encryption domain so that the VPN tunnel can work correctly.  It would be easier if I could just manually define the one large subnet block assigned to us instead of all the smaller subnets so that we can just make one change with our 3rd parties and be done with it entirely.  We currently "own" the 10.0.0.0/9 network range for our local company while the remote sites own /10's.  We are not using every network within that range, however we do seem to be slicing and dicing the /9 network up more and more all the time and the VPN Domain setting on the gateway continues to grow and grow.

 

I have been searching on the Checkpoint knowledge base and various internet searches to try and find out if there is a best practice on how big of a subnet you can or should define for a VPN tunnel?  Sadly, I'm striking out.  Does anyone have any experience with this on the Checkpoint side of things?  Is there a limit to the size network I should manually define in the VPN Domain?  I would love to specify the entire 10.0.0.0/9 and be done with it, but I'd be happy to cut that down to two /10's or four /11's, as even those would be easier to coordinate with my overseas counterparts versus the huge list we have right now.

 

Thanks in advance for any help.

0 Kudos
1 Reply

Re: VPN to 3rd parties with large subnets

As long as you don't have any overlapping networks, there is no problem is using 10/9 network in the VPN domain, just mnake sure to use the same setting on the other side of the tunnel.
Regards, Maarten