This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JustinLow
Contributor
‎2023-01-17 08:09 PM

CheckPoint VPN Domain Supernetting Questions

Hi All,

 

I have a question about the CheckPoint VPN domain supernetting feature. Recently my side have a VPN tunnel established between CheckPoint and Fortigate firewall.

- CheckPoint's VPN domains as below,

  • 10.100.0.0/16
  • 10.102.0.0/16
  • 10.103.0.0/16
  • 10.104.0.0/16
  • 10.105.0.0/16
  • 10.105.53.0/24
  • 10.105.205.0/24
  • 10.106.201.0/28
  • 10.106.216.0/24
  • 10.104.19.44
  • 10.104.21.161/32
  • 10.104.86.119/32
  • 10.104.88.142/32
  • 10.104.92.80/32
  • 10.104.95.83/32
  • 10.104.180.26/32
  • 10.105.12.59/32
  • 10.105.16.10/32
  • 10.105.33.37/32
  • 10.105.53.7x/32
  • 10.105.181.x/32
  • 10.106.115.32/32

- Fortigate VPN domain can found inside the attachment.

- I did vpn and ike debug on the CheckPoint gateway and found that the VPN domain superNet using 10.105.0.0/17

 

My question is why  CheckPoint chooses 10.105.0.0/17 and not the other segment to SuperNet

1. Why do CheckPoint supernet to 10.105.0.0/17 (we do not define this as one of the Traffic Selectors on CheckPoint) and not the other segment such as
a. 10.105.0.0/16 (we defined this as one of the Traffic Selector)
b. 10.105.0.0/18 (we do not have this as one of the Traffic Selector)
c. 10.105.0.0/15 (we do not have have this as one of the Traffic Selector)
 
Hope anyone can answer this. Thank you
Preview file
54 KB
Preview file
116 KB
Preview file
290 KB
0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-01-18 01:54 AM

Why your question about the why of supernetting ? Does the VPN tunnel work as expected or not ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JustinLow
Contributor
‎2023-01-18 05:18 PM
In response to G_W_Albrecht

The VPN tunnel is working but the supernetting is not working as what I expected. The largest subnet 10.105.0.0/16 is defined inside the VPN domain but CheckPoint is supernet it to 10.105.0.0/17. Please correct me if I was wrong about the supernet

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-18 08:43 AM

This doesn't seem like it's supernetting correctly since you explicitly list 10.105.0.0/16 in your Encryption Domain.
It shouldn't even create a 10.105.0.0/17 route in this case.
Recommend engaging with the TAC here.

JustinLow
Contributor
‎2023-01-18 05:15 PM
In response to PhoneBoy

I also thinking the supernetting is no working correctly. Will try engage with TAC first for this problem.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-02 05:16 AM
In response to JustinLow

Did TAC help to resolve this ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events