Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jon_Dyke
Contributor

Full Encyption Domain Overlap

We are about to setup a new tunnel with another office which has a subnet that is in our encryption domain.   The new office has a Fortinet cluster but they also have an 192.168.0.0/22 subnet.  The diagram shows our current Checkpoint star community  and we need to connect two sites to this cluster.  I am interested in how would people suggest we best deal with this?  I am guessing if we cannot change the subnet at one end then we will need to NAT the entire subnet at the Fortinet.  I currently have the 3 checkpoint clusters setup as centre GW's in the start community so I assume it would be better to add the Fortinet as a satellite to the same community rather than create two new ones (connecting site 2 would not be a problem).

 

 

 

Capture.JPG

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Your choices are NAT or renumber one side or the other.
And you'd probably create a separate VPN community between Site1/3 and the Fortinet Cluster.

the_rock
Leader
Leader

I cant recall now, but there is an sk that explains how to do this with user.def file on mgmt server if you have overlapping domains. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

By the way, I know there are some new guidbedit vpn features in R80, but I dont believe they are related to overlapping enc domains. Let me check if I can find anything for you, because I had similar scenario with customer recently.

the_rock
Leader
Leader