Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christoph
Collaborator

R80.40 Custom VPN Domain not working as expected

Hi,

running R80.40 latest T78 and yesterday had an issue with a new VPN site.

I'm using the newly introduced custom VPN Domains, which allows for only specific encryption domain advertisements to the partner site, so I thought.

Setup:

Network: 172.16.0.0/16

Default VPN Domain: Multitude of networks, including 172.16.0.0/17 not including 172.16.100.0/24

Custom VPN Domain configured: 172.16.100.0/24 as a network object. This object is standalone and not used anywhere else.

The default VPN Domain does not include the network 172.16.100.0/24 object.

VPN tunnel sharing is set to: by subnet

Q2 proposal fails: We are offering 172.16.0.0/17, if a hosts from our side initiates the tunnel. Expected behavior, imho would be to have 172.16.100.0/24 proposed as our encryption domain.

Adding 172.16.100.0/24 to the default VPN domain fixes this issue.

So just to be clear, this custom VPN domain is only a "filter" and not an explicit "setting", or am I missing something?

Cheers

Christoph

Edit: Formating

0 Kudos
5 Replies
Nik_Bloemers
Advisor

I noticed some weirdness with this as well. I was hoping this would be a more elegant solution for user.def changes, but sadly it doesn't appear to work this way.

0 Kudos
Andreas_Aust
Collaborator

Could someone from Check Point shed some light on this issue?

0 Kudos
PhoneBoy
Admin
Admin

This sounds like a bug and the TAC should be involved.
Are the gateways also R80.40 as well in this case?

0 Kudos
Christoph
Collaborator

Yes, everything is R80.40 Take78. This is a migration project. There are other observations concerning this issue, with three working tunnels, where the custom VPN domain looked like it worked, there were no complains, maybe it wasn't used. Hard to tell now, as we put the faulting net in the default vpn domain. 

0 Kudos
Benedikt_Weissl
Advisor

Does it work if you configure it according to sk108600 scenario 1?

Do you see any output if you run"fw tab -t subnet_for_range_and_peer" in expert mode?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events