Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jtorella-chsli
Participant

IPSEC phase2 per subnet still creating per host

I have a GAIA R77.30 gateway.  We recently upgraded our management station to R80.40.  Since then we are noticing that tunnels that we have created for per subnet are having issues.  When we examine the logs we noticed that the gateway is actually attempting to create a per host tunnel.  We are noticing multiple SA's in phase 2 when we should only see one since all our clients are on the same /24 network.  Does anyone have any suggestions.

Thank you for whatever help you can offer.

5 Replies
PhoneBoy
Admin
Admin

jtorella-chsli
Participant

Hi Phoneboy,

Thank you but we are not using exclusions in our encryption domain for this community,  We created a group with just the subnets that are needed in the encryption domain.  We did try "One tunnel per gateway pair" with no luck.  This problem seem to only start when we updated our management station to R80.40 and the gateways are still R77.30.   Could there be an incompatibility between the management station and gateways?  Also I know that the management station R80.40 supports "user defined" domain for each community but does the R77.30 gateways support it?  When I pushed policy I didn't get any errors so i assumed it works. 

PhoneBoy
Admin
Admin

R80.40 can manage R77.30 gateways.
However, R77.30 is End of Support.

As far as I know, the VPN Domain Per Community feature does not require gateways to also be on R80.40+.
However, at least for SMB appliances running R77.20.x, it doesn't appear to work: https://community.checkpoint.com/t5/General-Topics/R80-40-Question-about-encryption-domain-per-VPN-c... 

You can open a TAC case here, but support will only be provided on best-effort basis.
Upgrading to a supported release is definitely recommended.

0 Kudos
jtorella-chsli
Participant

Thanks.  We did open a TAC case already and they cant explain it either.  We have it set to per subnet but it is clearly doing per host.  As a temporary fix we asked our partner to set their side (ASA) to per host and things are working.  Our partner does want to leave the tunnel as per host permanently and would like us to resolve so they can set it back to per subnet.  We will continue to push TAC to looking it further.  Thanks for your help.

0 Kudos
the_rock
Champion
Champion

Hi,

 

Could you share example of the log where this happens? Yes, there are some supernetting guidbedit things that changed in R80, compared to before in R77. There is also file on mgmt server called crypt.def for excluding certain IP ranges, but does not sound you even have that configured. Is it only one tunnel with this issue or multiple? If its one, you can simply reset it via vpn tu command on gateway, but if its multiple, sounds like it could be global issue. Happy to do remote session and see if I can help you fix it.

 

Andy