This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Advisor
‎2021-02-06 12:24 PM

Remote Access encryption domain

Good Day everyone.  Added to  the encryption domain group object for the first time in years, and seeing weird behavior.  Prior to my change, the group has a slew of /24 networks, and /32 hosts configed - no issue.  Added a few /24 networks, and I'm seeing them carved up - 192.168.26.0 /24 is an example - here's what i get in my routing table after i connect via CP Mobile:

192.168.26.0         255.255.255.255      172.27.253.253      172.27.253.254  1
192.168.26.4         255.255.255.252      172.27.253.253       172.27.253.254  1
192.168.26.8         255.255.255.248      172.27.253.253       172.27.253.254 1
192.168.26.16       255.255.255.240      172.27.253.253       172.27.253.254 1
192.168.26.32       255.255.255.224      172.27.253.253      172.27.253.254 1
192.168.26.64       255.255.255.192      172.27.253.253      172.27.253.254 1
192.168.26.128     255.255.255.128      172.27.253.253       172.27.253.254 1

I've set "enable_supernet_per_community" to both 0 & 1, neither helped.  Clearly i'm missing something.

 

Any guidance would be greatly appreciated.

thanks

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2021-02-06 01:54 PM

Are there IPs in use on either the client or gateway that overlap with these subjects?

the_rock
Legend
Legend
‎2021-02-06 02:34 PM

Phoneboy makes a good point...overlapping domains.

0 Kudos
D_TK
Advisor
‎2021-02-06 03:43 PM
In response to the_rock

Thank you both for your replies, much appreciated.

I wasn't receiving the policy push warning about overlapping domains, but when i ran "vpn overlap_encdom" on the gateway, i saw that there is quite a few. 

Here is the layout - I have (8) internal sites that all participate in a meshed community.  Each of them have their locally connected networks as their encryption domain.  I also have the gateway serving as the public facing remote access concentrator, this gateway is not part of the mesh community - this gateway has for its encryption domain every network at every location it can see (including its own locally connected networks).  So...when i ran the "vpn overlap_encdom" command - it had entries for every location.  Is there a correct way to resolve this?

All versions are 80.40 hfa91

thanks.

 

 

 

0 Kudos
the_rock
Legend
Legend
‎2021-02-06 04:45 PM
In response to D_TK

Check below...not sure if it applies, but I would need to see it on remote session if you are willing to show me the exact issue...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top