but will it affect all the other tunnels? I think so, so it's a bit dangerous... need to discuss internally, but thank you

I can only speak for myself, I must have done it at least 20 times and only once there was an issue, but this was back in R65 days, never since then. To be sure, I would get an official statement from TAC.

ike_p2_enable_supernet_from_R80.20 is a setting for specific Tunnel, other settings exist only in Global Properties

I've disabled ike_p2_enable_supernet_from_R80.20 - did't help.
but - after remote site changed the local encryption domain to a host - it started working.
but - a connection to a host, which is in a newtork (we can't specify any host from this network) - stoped working...

so, is it not possible to mix host-host and host-network?

You can have hosts/subnets in enc domain, but then only one option can be selected for tunnel management in the community. I had not done it that way in awhile. Last time I made that work with a customer was back in R77.30 days : - )

You shouldn't need to mess around with those supernet and largest_possible_subnet variables if VPN Tunnel Sharing is pair of hosts.  The firewall will always propose /32's for both source and destination every time.  Be aware however that for every combination of IP addresses that try to communicate through the VPN, a new IPSec/Phase 2 tunnel will be created.  If PFS is set, this will cause an expensive Diffie-Hellman to be performed for every new IPSec/Phase 2 tunnel created.  If a bunch start up at once it could definitely dent your CPU utilization.  For that reason, lock down as tightly as possible in your Access Control policy what IP addresses are allowed to talk to each other through the tunnel to minimize the quantity of IPSec/Phase 2 tunnels created as much as possible.

hey @Timothy_Hall ...somewhat (un)related question. I recall you saying in one of the previous posts that when you set tunnel as permanent in vpn community, value tunnel_keepalive_method is automatically set for the objects as DPD in Guidbedit. Is this starting R81 or before, cant remember now...

Andy

Starting in R81 tunnel_keepalive_method will be set to DPD by default on all Interoperable Device object types.

Thanks for confirming 🙌

Timothy_Hall thank you for your answer. Let me explain the problem anew with all details. On one Site we have only hosts in the local ecnryption domain, on another Site we only have networks in the local encryption Domain. In that configuration only one-way traffic goes via Tunnel: from networks to hosts, but not from hosts to networks. How should we configure CheckPoint for this case?

I believe below is what you need to verify.

Andy

it is alredy impelmented and VPN Domain has hosts only:

Okay...and tunnel management tab for that community is set for pair of hosts as well? If yes, then I would suggest VPN debugs or contact TAC for faster resolution.

Andy

vpn debug truncon

vpn debug ikeon

check vpnd.elg and ike.elg in $FWDIR/log dir

As long as the Sophos is proposing hosts/subnets that fall into the VPN domain of the Check Point somewhere it will accept it no matter the VPN Tunnel Sharing Setting.  Based on your application data flow it sounds like the Sophos will be doing all the proposing and the Check Point will accept any proposals that are subsets, and they do not have to precisely match the subnet sizes defined in its VPN domain.

On the other hand, proposals presented to the Sophos by the Check Point must PRECISELY match the subnet sizes defined on the Sophos, subsets are not acceptable and you will blow up in Phase 2 with Invalid ID.  As long as the Sophos is the only one proposing, it doesn't matter what the VPN Tunnel Sharing option is set to on the Check Point.  The VPN tunnel is a two-way street once it successfully initializes and it doesn't matter who proposed it in the first place.

However if you would like the Check Point to be able to successfully propose and start up the VPN from its end (advisable), you will have to manually define the exact proposals you want sent to the Sophos peer to ensure they precisely match its defintions.  This is done by adding a subnet_for_range_and_peer directive to the proper *.def file on the SMS as described in Scenario 1 here: sk108600: VPN Site-to-Site with 3rd party