Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Contributor

Remote Access encryption domain

Good Day everyone.  Added to  the encryption domain group object for the first time in years, and seeing weird behavior.  Prior to my change, the group has a slew of /24 networks, and /32 hosts configed - no issue.  Added a few /24 networks, and I'm seeing them carved up - 192.168.26.0 /24 is an example - here's what i get in my routing table after i connect via CP Mobile:

192.168.26.0         255.255.255.255      172.27.253.253      172.27.253.254  1
192.168.26.4         255.255.255.252      172.27.253.253       172.27.253.254  1
192.168.26.8         255.255.255.248      172.27.253.253       172.27.253.254 1
192.168.26.16       255.255.255.240      172.27.253.253       172.27.253.254 1
192.168.26.32       255.255.255.224      172.27.253.253      172.27.253.254 1
192.168.26.64       255.255.255.192      172.27.253.253      172.27.253.254 1
192.168.26.128     255.255.255.128      172.27.253.253       172.27.253.254 1

I've set "enable_supernet_per_community" to both 0 & 1, neither helped.  Clearly i'm missing something.

 

Any guidance would be greatly appreciated.

thanks

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Are there IPs in use on either the client or gateway that overlap with these subjects?

the_rock
Leader
Leader

Phoneboy makes a good point...overlapping domains.

0 Kudos
D_TK
Contributor

Thank you both for your replies, much appreciated.

I wasn't receiving the policy push warning about overlapping domains, but when i ran "vpn overlap_encdom" on the gateway, i saw that there is quite a few. 

Here is the layout - I have (8) internal sites that all participate in a meshed community.  Each of them have their locally connected networks as their encryption domain.  I also have the gateway serving as the public facing remote access concentrator, this gateway is not part of the mesh community - this gateway has for its encryption domain every network at every location it can see (including its own locally connected networks).  So...when i ran the "vpn overlap_encdom" command - it had entries for every location.  Is there a correct way to resolve this?

All versions are 80.40 hfa91

thanks.

 

 

 

0 Kudos
the_rock
Leader
Leader

Check below...not sure if it applies, but I would need to see it on remote session if you are willing to show me the exact issue...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos