This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BikeMan
Contributor
‎2023-11-09 04:46 AM

S2S VPN and Encryption Domain

Hello all,

Having an issue using VPN between CP peers.

I have 3 peers (R81.10 hfa110) managed by the same CMA: P1, P2, P3.

Each peers have their own private network: N1,N2,N3.

I have 2 communities:

C1: P2-P3

C2:P3-P1.

 

N2 can reach N3 each other using VPN C1 and it is working fine.

From N1, I have to reach N2 using a MPLS network, BUT when some specifics ip from N1 has to reach some specific IP in N2 we want to use VPN C2.

So, within C1 I have the following encryption domain (defined per community):

P2=N2

P3=N3

And wihtin C2:

P3= few ip within N3

P1=N1.

 

And sometimes communication between N2-N3 doesn't work (vpn errro 01: wrong peer).

Running the vpn overlap_encdom, I have the following error: "Same destination adress can be reached in more the one community. This configuration is not supported."

 

Does that really mean an ip can't be part of several communities ? 

Many thanks for your help.

Rgds,

 

 

0 Kudos
2 Replies
CaseyB
Advisor
‎2023-11-09 07:40 AM

An IP can be a part of several communities, the problem is there are duplicate destination IPs within multiple communities. That is why NAT was invented.

It seems like P3 talks to P1 and P2, why not just make a single Star VPN community and route traffic that way? Or possibly set them all up in a Mesh VPN community?

0 Kudos
BikeMan
Contributor
‎2023-12-14 12:44 AM
In response to CaseyB

For sure I would prefer to create a complete Mesh VPN. But customer doesn't want to...

As far as I know the same destination ip can be part of several communities (without using NAT).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events