Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christoph
Contributor

R80.40 Custom VPN Domain not working as expected

Hi,

running R80.40 latest T78 and yesterday had an issue with a new VPN site.

I'm using the newly introduced custom VPN Domains, which allows for only specific encryption domain advertisements to the partner site, so I thought.

Setup:

Network: 172.16.0.0/16

Default VPN Domain: Multitude of networks, including 172.16.0.0/17 not including 172.16.100.0/24

Custom VPN Domain configured: 172.16.100.0/24 as a network object. This object is standalone and not used anywhere else.

The default VPN Domain does not include the network 172.16.100.0/24 object.

VPN tunnel sharing is set to: by subnet

Q2 proposal fails: We are offering 172.16.0.0/17, if a hosts from our side initiates the tunnel. Expected behavior, imho would be to have 172.16.100.0/24 proposed as our encryption domain.

Adding 172.16.100.0/24 to the default VPN domain fixes this issue.

So just to be clear, this custom VPN domain is only a "filter" and not an explicit "setting", or am I missing something?

Cheers

Christoph

Edit: Formating

0 Kudos
Reply
5 Replies
Nik_Bloemers
Collaborator

I noticed some weirdness with this as well. I was hoping this would be a more elegant solution for user.def changes, but sadly it doesn't appear to work this way.

0 Kudos
Reply
Andreas_Aust
Collaborator

Could someone from Check Point shed some light on this issue?

0 Kudos
Reply
PhoneBoy
Admin
Admin

This sounds like a bug and the TAC should be involved.
Are the gateways also R80.40 as well in this case?

0 Kudos
Reply
Christoph
Contributor

Yes, everything is R80.40 Take78. This is a migration project. There are other observations concerning this issue, with three working tunnels, where the custom VPN domain looked like it worked, there were no complains, maybe it wasn't used. Hard to tell now, as we put the faulting net in the default vpn domain. 

0 Kudos
Reply
Benedikt_Weissl
Advisor

Does it work if you configure it according to sk108600 scenario 1?

Do you see any output if you run"fw tab -t subnet_for_range_and_peer" in expert mode?

0 Kudos
Reply