This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gavin211
Explorer
‎2021-12-23 02:47 AM

Site to Site VPN with overlapping subnet

Hello Experts,

 

I am facing some issue with overlapping subnet, hope to be able to get some solution from this forums.

Below are what we current having / using

Star topology VPN

Main Site (Checkpoint) - 10.0.0.0/24

Remote Site A (Checkpoint)- 192.168.2.0/24, 192.168.3.0/24 (Configured IPSec Tunnel)

Remote Site B (Fortinet) - 192.168.0.0/21 (Having issue configuring IPSec Tunnel)

I am having issue trying to establish a IPSec Tunnel with remote site B, most likely due to the overlapping of subnet.

I would like to seek for advise on how can we move forward to solve this issue.

Thanks in advance.

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2021-12-23 03:55 AM

NAT or change the Remote A subnet

0 Kudos
gavin211
Explorer
‎2021-12-23 04:06 AM
In response to _Val_

Changing remote A subnet will not be possible. Is there a guide for NAT between site to site VPN? 

0 Kudos
_Val_
Admin
Admin
‎2021-12-23 05:15 AM
In response to gavin211

This is a classic case, for every vendor running IPSec VPN S2S tunnels. There are plenty explanations on how to fix it with NAT. For example, https://www.practicalnetworking.net/stand-alone/vpn-overlapping-networks/

the_rock
Legend
Legend
‎2021-12-23 04:51 AM

@_Val_ is absolutely right. Now, personally, and this is just me, what I would do, just to be sure is maybe do quick vpn debug on CP side to confirm, but yea, it appears overlapping subnets are problem, for sure. 192.168.0.0/21 would definitely encompass 192.168.2.0/24 network. You can run below command on CP firewall and see what it shows.

vpn overlap_encdom

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events