R81.10 VPN encryption domain override

Ryan_Ryan · ‎2022-02-09

Hi,

I have used the encryption domain override on both the center and remote gateways in two different vpns on two r81.10 gateways. Everything worked fine to my Cisco router on the other end with matching encryption domains (I am using mainly /32 host addresses).

However I then noticed something was not right, when I tried to send traffic in the other direction, sourced from behind checkpoint to the far end it did not work, in the checkpoint logs it said no SA has been established, although there was a matching SA for these host pairs as I could run the same traffic in the opposite direction without issue.

I turned debugging on the Cisco phase 2 and found the checkpoint was trying to propose a /16 mask for the local network address which is in the gateways encryption domain, the /16 was not in the override, I tested by temporarily adding a /16 to the enc domain on the cisco side and guess what it worked.

Is there any reason why checkpoint would not use its override domain for outgoing traffic?

Marcel_Gramalla · ‎2022-02-09

Hi,

unfortunately you can't use this feature in that scenario. The override only works correctly if you select a host/network that is in the regular encryption domain. So if you have a /16 subnet in that you can only use that in the override.

This makes this feature useless for us. Look at this sk: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

You can achieve that only with manually editing the user.DEF accordingly.

Ryan_Ryan · ‎2022-02-09

thank you for that. yes agreed that feature is not really at all useful as it sounded like it would be!

I would just add the /32 to the gateway encryption domain aswell but knowing the way checkpoint treats subnet masks it could cause issues with all our existing vpns.

the_rock · ‎2022-02-09

Do you have correct vpn domains configured as per different vpn communities? Yes, you can have certain vpn domain configured on your gateway (cluster) object, but different domains can be used for different vpn tunnels.

Ryan_Ryan · ‎2022-02-09

Yes that is what I have done, the gateway has an encryption domain 10.0.0.0/16 in it, but for this specific community I have used a group containing 10.0.10.10/32. But the phase 2 proposal still comes as /16 from the checkpoint

if you are meaning have I defined it using the user.def file then no I haven't used that method.

the_rock · ‎2022-02-09

K, I get what you are saying. Yea, that might be a bit tricky, since /32 is just single host, so it would not override. I believe @Marcel_Gramalla is correct, you may have to manually modify that in user.def file. I know with customer I worked with before, they never had this sort of problem, but then they did not use anything but subnets and Im pretty certain that any subnets they did end up using to override, were in fact part of original gateway encryption domain. See, all this comes from ages ago where it was always the case that CP would use largest possible subnet.

Maybe check settings I attached to make sure they are correct, that could be an issue. If they are not set to false, set them in guidbedit, save, push policy and then try again.

Andy

Are you a member of CheckMates?

R81.10 VPN encryption domain override