Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader
Jump to solution

Encryption domain mismatch even though its set it up correctly

Hi Guys,

I have tunnel set it up between R80.20 and PAN, Phase 1 is up and is mismatching encryption domains. For CP its 10.1.3.0/24 while at remote end is 10.1.6.0/24.

When I done the debug found that CP is sending it as 10.1.6.128/25 and that is the reason my tunnel is not coming up.

What could be the issue?

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Clearly this points to a configuration error on one side or another.
How exactly do you have the encryption domain for the remote site defined
By that I mean, the specific objects that make it up?
What changes have you made to crypt.def and/or ike_use_largest_possible_subnets to support this?

View solution in original post

0 Kudos
7 Replies
Jean_Rosario
Explorer

Hi,

Do you have your VPN Domain set up as based on Topology or a manually defined group?

 

 

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Blason_R
Leader
Leader

nah, tried that already but didnt work.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
Clearly this points to a configuration error on one side or another.
How exactly do you have the encryption domain for the remote site defined
By that I mean, the specific objects that make it up?
What changes have you made to crypt.def and/or ike_use_largest_possible_subnets to support this?
0 Kudos
Blason_R
Leader
Leader

Yep, that was the issue "ike_use_largest_possible_subnets" disabled it and from dbedit and it worked perfectly fine.

Thanks for the help.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Timothy_Hall
Champion
Champion

PAN firewalls use route-based VPNs by default, and will propose/expect 0.0.0.0/0's in Phase 2 unless manual Proxy-IDs are configured on the PAN side to mimic a domain-based VPN.  Has that been done on the PAN?

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Blason_R
Leader
Leader

Let me see if that was the issue. Well, the funny thing is; the tunnel was working fine when the appliances were on R77.30 and it broke as soon as those are upgraded to R80.20.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events