Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Question about overlapping vpn domain same management

Hello Everybody,

 

I have a little question that has been bothering me for  while. Let's say that I  have management with a VSX with 2 Virtual Systems (VS_A and VS_B) . The VS_A has a VPN site to site with peerA that has the network 172.16.20.0/24(remote domain) and now I want to create a site to site with VS_B with peerB (a total different site that peerA) that has as remote domain 172.16.20.1, 172.16.20.2 (and maybe also the whole 172.16.20.0/24).

Would this cause overlapping even though are different Firewalls?

If that is the case, is there a way to solve this? (maybe having a multidomain with different CMAs for each VS for example)

 

Thanks in advance

0 Kudos
10 Replies
Highlighted
Sapphire

You can resolve this issue, but: You are forced to do a manual routing, and this will get more and more complicated as new sites are added to the VPN community. See sk31021:

Common VPN routing scenarios can be configured using a VPN star community, but not all VPN routing configuration is handled through SmartDashboard.

VPN routing between Security Gateways (star or mesh) can also be configured by editing the configuration file: $FWDIR/conf/vpn_route.conf.

For information on Route Based VPN, refer to the Route Based VPN section in the R80.10 VPN Site to Site Administration Guide

0 Kudos
Highlighted
Ivory

Thank you for the answer. So, according to what you mentioned,  there will be indeed overlapping even if the firewalls are different but are managed by the same Smartcenter.  As you said, It looks that using vpn routing will cause this to  get more difficult to manage with time so I was thinking, if I use a multidomain with different CMA for each Virtual System, I wouldn't this "limitation" (the overlapping in this case), right?

 

 

0 Kudos
Highlighted
Sapphire

You are missing the problem here - not the same SMS is an issue, but the CP Domain Based VPN ! An Encryption Domain can not contain duplicate subnets or routing will not work. So the solution is not MultiDomain, but no duplicate subnets at all for Domain VPN or no Domain VPN but PBR... 

Highlighted
Ivory

Got it!, I'll keep this in mind. Thank you so much!

0 Kudos
Highlighted
Sapphire

More information can be found in CP R80.30 Site to Site VPN AdminGuide, chapter Domain Based VPN p.74f and Route Based VPN p.79f !

0 Kudos
Highlighted
Nickel

Hi @G_W_Albrecht,

 

I'm a bit confused here as I have a similar, albeit slightly different, scenario I'm looking for assistance with. In my scenario, peerA and peerB will both have VPNs to peerC. So the remote encryption domain does not span multiple peers, however, the local encryption domain on peerA and peerB will contain overlapping subnets. Is this still not supported?

If possible, can you provide assistance in the linked forum post?

0 Kudos
Highlighted

MEP (Multiple entry point) VPN may solve your use case

Multiple Entry Point (MEP) VPNs 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Highlighted

@VictorPG 

I think that we have to divide the question in two parts: Overlapping encryption domains and routing.

VSX is a great way to overcome overlapping of DEs since each VS will have their own VPN Encryption domain and their own VPN tunnels. You can create specific groups for each one with the relevant networks, of course this will depend on your VSX architecture.

The routing issue is how the packet reach the correct VS, after that it will be solved.

Hope it helps!

Federico Meiners

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Highlighted
Ivory

But when you say "each VS will have their own VPN Encryption domain and their own VPN tunnels", does this mean only local domain or also remote domain for the peers? if each VS has a vpn with different peers, and in this case the remote domain in the peers is the same (peerA for VS_A and peerB for VS_B), would this cause overlapping between peers (even if the vpns tunnels are for different Virtual Sysmts)?
0 Kudos

@VictorPG It will not cause overlap since peers are associated with a specific S2S VPN, you can have different peers with the same remote encryption domain as long as they are not in the same VS.

What a peer encryption domain does is injecting routes to the routing table so your firewall knows that that IP is reachable via that peer. If you have two peers with the same Remote DE in the same firewall (VS or not) then you will have overlapping routes.

 

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos