Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JustinLow
Contributor

CheckPoint VPN Domain Supernetting Questions

Hi All,

 

I have a question about the CheckPoint VPN domain supernetting feature. Recently my side have a VPN tunnel established between CheckPoint and Fortigate firewall.

- CheckPoint's VPN domains as below,

  • 10.100.0.0/16
  • 10.102.0.0/16
  • 10.103.0.0/16
  • 10.104.0.0/16
  • 10.105.0.0/16
  • 10.105.53.0/24
  • 10.105.205.0/24
  • 10.106.201.0/28
  • 10.106.216.0/24
  • 10.104.19.44
  • 10.104.21.161/32
  • 10.104.86.119/32
  • 10.104.88.142/32
  • 10.104.92.80/32
  • 10.104.95.83/32
  • 10.104.180.26/32
  • 10.105.12.59/32
  • 10.105.16.10/32
  • 10.105.33.37/32
  • 10.105.53.7x/32
  • 10.105.181.x/32
  • 10.106.115.32/32

- Fortigate VPN domain can found inside the attachment.

- I did vpn and ike debug on the CheckPoint gateway and found that the VPN domain superNet using 10.105.0.0/17

 

My question is why  CheckPoint chooses 10.105.0.0/17 and not the other segment to SuperNet

1. Why do CheckPoint supernet to 10.105.0.0/17 (we do not define this as one of the Traffic Selectors on CheckPoint) and not the other segment such as
a. 10.105.0.0/16 (we defined this as one of the Traffic Selector)
b. 10.105.0.0/18 (we do not have this as one of the Traffic Selector)
c. 10.105.0.0/15 (we do not have have this as one of the Traffic Selector)
 
Hope anyone can answer this. Thank you
0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend

Why your question about the why of supernetting ? Does the VPN tunnel work as expected or not ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JustinLow
Contributor

The VPN tunnel is working but the supernetting is not working as what I expected. The largest subnet 10.105.0.0/16 is defined inside the VPN domain but CheckPoint is supernet it to 10.105.0.0/17. Please correct me if I was wrong about the supernet

0 Kudos
PhoneBoy
Admin
Admin

This doesn't seem like it's supernetting correctly since you explicitly list 10.105.0.0/16 in your Encryption Domain.
It shouldn't even create a 10.105.0.0/17 route in this case.
Recommend engaging with the TAC here.

JustinLow
Contributor

I also thinking the supernetting is no working correctly. Will try engage with TAC first for this problem.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Did TAC help to resolve this ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events