This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MattGo
Participant
‎2025-10-17 02:12 AM

IPsec VPN with both gateways in the same subnet

Hello everyone, does anyone know if it is possible to configure a site-to-site VPN between two Check Point R81.20 gateways that are within the same subnet?  The client has two data centres linked at layer 2 and want an encrypted tunnel, but at layer 3 it's the same subnet, with one gateway at either end of the link.  Unfortunately I do not have sight of the configuration as it's in a secure environment but it seems that the tunnel is not coming up and I was wondering if it is simply never going to work without other changes (e.g. using different subnets) or whether to continue diagnostics work. Thanks.

0 Kudos
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-10-17 02:32 AM

Yup...just assign empty group as enc. domain on both fws.

Best,
Andy
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2025-10-17 05:38 AM

I believe not. To send the traffic encrypted from one site to another your gateways must work as Layer 3 routing device.

If your datacenter is connected via Layer 2, why not using encryption features of the Layer 2 devices like MACSec?

Or as an idea you can create a VXLAN tunnel for your Layer 2 subnet see sk170014 - Virtual Extensible LAN (VXLAN) Configuration Guide

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-17 09:11 AM
In response to Wolfgang

Im fairly sure we got this working before the way I mentioned.

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-10-17 09:50 AM

As in a collection of networks behind one firewall, a different collection of networks behind the other firewall, and the two firewalls are connected with no routers between them? Works fine. VPN termination functionality is just traffic which rides on top of routing functionality. If they can ping each other, they can negotiate IKE and IPSec.

If the networks behind each firewall overlap, it won't work, but that has nothing to do with the topology of the environment between them.

the_rock
MVP Platinum
MVP Platinum
‎2025-10-17 11:25 AM
In response to Bob_Zimmerman

True that!

Best,
Andy
0 Kudos
MattGo
Participant
‎2025-10-21 01:19 AM

Thank you for all your comments - looks like more diagnosis on the underlying issue is required.

the_rock
MVP Platinum
MVP Platinum
‎2025-10-26 06:52 PM
In response to MattGo

Let us know how it gets solved...cheers.

Best,
Andy
0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2025-10-30 08:34 PM

If you configure S2S and both sites have the same subnet, you need to add a NAT rule to translate both your local subnet and the remote subnet on the other site.

Description below:
In the Communities settings, you still define the actual local and remote subnets. Then, you need to create two different subnets for the NAT configuration.

At this point, both sites must allow firewall rules for those NAT subnets instead of allowing the real subnets.
After doing so, each site will only see the other’s NAT subnet, not the real IPs.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-10-31 07:21 AM
In response to MarcuzShinz

That's correct if the gateways have the same subnet behind them. That doesn't sound like what's going on here. This environment sounds like a normal VPN topology, except instead of the Internet with a bunch of routers between the firewalls, it's a switched path (or a pseudowire or something similar).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events