Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
IT_Eng
Participant

Site-to-Site VPN with overlap subnets between communities

Hello Mates,

 

We have an existing community with a tunnel to Palo Alto A with subnet 10.16.0.0/15 behind it.

We need to create a new tunnel in a different community to a Palo Alto B with a subnet of 10.16.100.0/24.

The tunnel to tunnel B is not even initiating IKE, all the traffic is going to the existing tunnel to Palo Alto A.

I know that the proper subset (as called by Checkpoint) is not supported in general, but is it not clear which side the proper subset is referred to.

The only option I see is a route-based VPN for the new tunnel. But I thought I will ask here before if there is something different to try.

 

SMS and gateway os R81.10

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You'd have to define the encryption domains without overlaps for this to work correctly, I suspect.
If that's not possible, it does probably mean moving to route-based VPNs.

0 Kudos
IT_Eng
Participant

Thanks for the answer.

So I've already tried route-based in the meantime, without success. But, it was configured only on tunnel B so I presume this was the reason that it didn't work.

Any other suggestions? I'm trying PBR as I write this comment.

0 Kudos
PhoneBoy
Admin
Admin

Mixing route and domain based VPNs has some limitations: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Namely that domain based VPNs take precedence over route-based VPNs, which is exactly what you're experience here.
PBR probably won't work as I believe domain-based VPNs take priority.

0 Kudos
IT_Eng
Participant

Thanks for your answers!

0 Kudos
motip
Employee
Employee

A possible solution may be for the 3rd-party to Statically NAT the overlapping subnet to another subnet that doesn't collide with either their internal subnets or CP VPN domains (probably for the peer having 10.16.100.0/24). From CP side you'll need to define the NAT subnet as part of the peer's encryption domain and remove the overlap section from it.