Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
IT_Eng
Participant

Site-to-Site VPN with overlap subnets between communities

Hello Mates,

 

We have an existing community with a tunnel to Palo Alto A with subnet 10.16.0.0/15 behind it.

We need to create a new tunnel in a different community to a Palo Alto B with a subnet of 10.16.100.0/24.

The tunnel to tunnel B is not even initiating IKE, all the traffic is going to the existing tunnel to Palo Alto A.

I know that the proper subset (as called by Checkpoint) is not supported in general, but is it not clear which side the proper subset is referred to.

The only option I see is a route-based VPN for the new tunnel. But I thought I will ask here before if there is something different to try.

 

SMS and gateway os R81.10

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You'd have to define the encryption domains without overlaps for this to work correctly, I suspect.
If that's not possible, it does probably mean moving to route-based VPNs.

0 Kudos
IT_Eng
Participant

Thanks for the answer.

So I've already tried route-based in the meantime, without success. But, it was configured only on tunnel B so I presume this was the reason that it didn't work.

Any other suggestions? I'm trying PBR as I write this comment.

0 Kudos
PhoneBoy
Admin
Admin

Mixing route and domain based VPNs has some limitations: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Namely that domain based VPNs take precedence over route-based VPNs, which is exactly what you're experience here.
PBR probably won't work as I believe domain-based VPNs take priority.

0 Kudos
IT_Eng
Participant

Thanks for your answers!

0 Kudos
motip
Employee
Employee

A possible solution may be for the 3rd-party to Statically NAT the overlapping subnet to another subnet that doesn't collide with either their internal subnets or CP VPN domains (probably for the peer having 10.16.100.0/24). From CP side you'll need to define the NAT subnet as part of the peer's encryption domain and remove the overlap section from it.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events