Hi,

We have an inherited Juniper firewall which we are planning to migrate to Check Point. 

Some of the tunnels that are established have a local traffic selector of 192.168.x.0/24 and a remote selector 0.0.0.0/0. And one has them the other way round with a local domain 0/0 and a remote domain 172.x.x.0/24

I've tried the standard route-based VPN method (in R81.10 lab back-to-back with an SRX), having set the default VPN topology as an empty group, creating VTIs and static routes, and overriding the local or remote topology to specific subnet on a per-VPN basis.

The SRX happily comes up and negotiates its IKEv2 with an initial traffic selector <0.0.0.0/0>-<192.168.x.0/24>, great. However, as soon as I attempt to push traffic, the Check Point tries negotiate a new child SA with <0.0.0.0/0>-<0.0.0.0/0> which the SRX rejects "Traffic selectors unacceptable". The attempt was seen in iked.elg and the traffic captured in legacy_ikev2.xmll.

I tried to override this with subnet_for_range_and_peer but it had no affect on the issue.

So, is it / will it ever be possible to use route-based VPN without being forced to use Universal Tunnel at both ends? Currently I'm forced to get the 3rd party peers to change their traffic selectors which is annoying 🙂

Thanks

Jamie