This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JoeBandura
Participant
‎2026-03-26 05:26 AM

Partial overlapping encryption domains

Hey ya'll, hopefully this is an easy question to answer.

I have two sites that we'll call SITEA and SITEB that are physically remote, but directly connected via fiber. Both sites each have a R81.10 FW cluster that we'll call GWA at SITEA and GWB at SITEB that provides NAT and internet access at each site. SITEA also has an R81.10 management station that acts as logging and management for both GWA and GWB via their internal interfaces.

My plan is to configure the VPN blade on GWA and GWB and setup a site-to-site VPN between them. This would act as a redundant path in the event our fiber connection between the two sites goes down. Assume the routing details for this setup are taken care of.

I have since enabled the VPN blade on both GWA and GWB without configuring a VPN tunnel and installed policy. During/after policy installation, I have received this warning:

"The gateways GWA and GWB have partial overlapping encryption domains. Therefore, Endpoint Connect users will not support MEP configuration SecureRemote/SecureClient users will not be able to create site. If any of the GWs should not be exported to SR/SC. please remote it from the RemoteAccess community or uncheck the exportable for SR box. The overlapping domain include..."

I have read Scenario 1 of sk106837 which appears to be my situation.  But, from my understanding, this won't seem to apply to me since I have no plans to use RemoteAccess or Secondary Connect. However, I would like to not see this message every time I install a policy since it may potentially mask other issues.

Any help is appreciated. Thank you.

0 Kudos
7 Replies
simonemantovani
MVP Silver
MVP Silver
‎2026-03-26 05:43 AM

Hello

could you provide configuration for bot gateways? (configuration, topology, vpn communities, etc.) To better understand the topology of your sites.

0 Kudos
JoeBandura
Participant
‎2026-03-26 05:55 AM
In response to simonemantovani

SITEA: 10.10.0.0/16
Management Station: 10.10.0.10

There is a router on the fiber connection to route traffic from SITEA to SITEB. Currently that's done with simple static routes, but will be changed.

SITEB: 10.20.0.0/16

GWA:
Internal - 10.10.0.1, Topology leads to - [Group with all internal networks of both SITEA & SITEB]
External - 1.2.3.4, Topology leads to - External (Internet)

GWB:
Internal - 10.20.0.1, Topology leads to - [Group with all internal networks of both SITEA & SITEB]
External - 4.3.2.1, Topology leads to - External (Internet)

After doing some reading, I am thinking I need to set a User Defined VPN Domain on both GWA and GWB under the gateway properties -> Network Management -> VPN Domain. Maybe specify the site specific network(s) for each gateway?

0 Kudos
simonemantovani
MVP Silver
MVP Silver
‎2026-03-26 05:59 AM
In response to JoeBandura

The error could be related to the fact that both internal network are 10.10.x.x/16.

Yes, it's best to define the VPN domain for both gateway; pay attention, in both VPN domain you can't define 10.10.x.x with /16 subnet mask, because you'll have overlapping domains.

0 Kudos
JoeBandura
Participant
‎2026-03-26 06:02 AM
In response to simonemantovani

Yeah, you're right. It's early and I haven't had coffee. I fixed the network addresses.

the_rock
MVP Diamond
MVP Diamond
‎2026-03-26 06:07 AM
In response to JoeBandura

If they have to overlap, then NAT would be required.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Martijn
MVP
MVP
‎2026-03-26 06:24 AM

Hi,

So traffic between site A and site B is going over the fiber connection and the sole purpose of the VPN is a backup in case the fiber connection has issues. Correct?

Instead of using domain based VPN, you can take a look at route based VPN for the VPN connection between both sites.
Have a routing protocol like OSPF in place to update routes in the network. In case there is an issue with the fiber connection, routes are updated with OSPF and traffic is send via the VPN connection.

No need for Encryption Domains (route based VPN uses an empty group).

Martijn

(1)
JoeBandura
Participant
‎2026-03-26 06:34 AM
In response to Martijn

Correct. VPN use case is only in the event the fiber goes down.

I will look at this. Thank you.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    In-Person

    Thu 07 May 2026 @ 11:30 AM (CDT)

    Nashville: Humans & AI: A Real Conversation
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events