Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

Encryption domain mismatch even though its set it up correctly

Jump to solution

Hi Guys,

I have tunnel set it up between R80.20 and PAN, Phase 1 is up and is mismatching encryption domains. For CP its 10.1.3.0/24 while at remote end is 10.1.6.0/24.

When I done the debug found that CP is sending it as 10.1.6.128/25 and that is the reason my tunnel is not coming up.

What could be the issue?

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Clearly this points to a configuration error on one side or another.
How exactly do you have the encryption domain for the remote site defined
By that I mean, the specific objects that make it up?
What changes have you made to crypt.def and/or ike_use_largest_possible_subnets to support this?

View solution in original post

0 Kudos
7 Replies
Jean_Rosario
Explorer

Hi,

Do you have your VPN Domain set up as based on Topology or a manually defined group?

 

 

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Blason_R
Advisor

nah, tried that already but didnt work.

 

0 Kudos
PhoneBoy
Admin
Admin
Clearly this points to a configuration error on one side or another.
How exactly do you have the encryption domain for the remote site defined
By that I mean, the specific objects that make it up?
What changes have you made to crypt.def and/or ike_use_largest_possible_subnets to support this?

View solution in original post

0 Kudos
Blason_R
Advisor

Yep, that was the issue "ike_use_largest_possible_subnets" disabled it and from dbedit and it worked perfectly fine.

Thanks for the help.

0 Kudos
Timothy_Hall
Champion
Champion

PAN firewalls use route-based VPNs by default, and will propose/expect 0.0.0.0/0's in Phase 2 unless manual Proxy-IDs are configured on the PAN side to mimic a domain-based VPN.  Has that been done on the PAN?

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Blason_R
Advisor

Let me see if that was the issue. Well, the funny thing is; the tunnel was working fine when the appliances were on R77.30 and it broke as soon as those are upgraded to R80.20.

0 Kudos