we have a S2S Tunnel between CheckPoint R80.40 and Sophos Firewall 9.713.
local encryption Domain on the CheckPoint: 11 hosts from network 192.168.0.0/24
remote encryption Domain on the CheckPoint: network 10.20.1.0/24
local encryption Domain on the Sophos: network 10.20.1.0/24
remote encryption Domain on the Sophos: network 192.168.0.0/24
everything works very good.
Now we are changing the remote encryption Domain on the Sophos to 11 hosts from network 192.168.0.0/24, so that all encryption Domains will be same on both sides. After changing the VPN works only one way: from Sophos to CheckPoint. While connection from CheckPoint [YYY] to Sophos [XXX] we see an error on Sophos:
cannot respond to IPsec SA request because no connection is known for 10.20.1.0/24===XXX[XXX]...YYY[YYY]===192.168.0.0/24
sending encrypted notification INVALID_ID_INFORMATION to YYY:500
on the CheckPoint I also see that is trying to build SA with Network (message is below). Question: why builds CheckPoint SA with a network even in Local encryption has 11 hosts? Sophos dosn't accept this because it also has 11 hosts only.
I drew a picture to better understand. I've played with Tunnel Management - didn't help
Thank you in advance!