This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christoph
Collaborator
‎2020-09-17 11:38 PM

R80.40 Custom VPN Domain not working as expected

Hi,

running R80.40 latest T78 and yesterday had an issue with a new VPN site.

I'm using the newly introduced custom VPN Domains, which allows for only specific encryption domain advertisements to the partner site, so I thought.

Setup:

Network: 172.16.0.0/16

Default VPN Domain: Multitude of networks, including 172.16.0.0/17 not including 172.16.100.0/24

Custom VPN Domain configured: 172.16.100.0/24 as a network object. This object is standalone and not used anywhere else.

The default VPN Domain does not include the network 172.16.100.0/24 object.

VPN tunnel sharing is set to: by subnet

Q2 proposal fails: We are offering 172.16.0.0/17, if a hosts from our side initiates the tunnel. Expected behavior, imho would be to have 172.16.100.0/24 proposed as our encryption domain.

Adding 172.16.100.0/24 to the default VPN domain fixes this issue.

So just to be clear, this custom VPN domain is only a "filter" and not an explicit "setting", or am I missing something?

Cheers

Christoph

Edit: Formating

0 Kudos
5 Replies
Nik_Bloemers
Advisor
Advisor
‎2020-09-18 12:09 AM

I noticed some weirdness with this as well. I was hoping this would be a more elegant solution for user.def changes, but sadly it doesn't appear to work this way.

0 Kudos
Andreas_Aust
Collaborator
‎2020-09-18 05:22 AM

Could someone from Check Point shed some light on this issue?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-20 02:59 PM

This sounds like a bug and the TAC should be involved.
Are the gateways also R80.40 as well in this case?

0 Kudos
Christoph
Collaborator
‎2020-09-20 11:15 PM
In response to PhoneBoy

Yes, everything is R80.40 Take78. This is a migration project. There are other observations concerning this issue, with three working tunnels, where the custom VPN domain looked like it worked, there were no complains, maybe it wasn't used. Hard to tell now, as we put the faulting net in the default vpn domain. 

0 Kudos
Benedikt_Weissl
Advisor
‎2020-09-21 02:26 AM
In response to Christoph

Does it work if you configure it according to sk108600 scenario 1?

Do you see any output if you run"fw tab -t subnet_for_range_and_peer" in expert mode?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events