This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IT_Eng
Participant
‎2022-08-15 09:23 AM

Site-to-Site VPN with overlap subnets between communities

Hello Mates,

 

We have an existing community with a tunnel to Palo Alto A with subnet 10.16.0.0/15 behind it.

We need to create a new tunnel in a different community to a Palo Alto B with a subnet of 10.16.100.0/24.

The tunnel to tunnel B is not even initiating IKE, all the traffic is going to the existing tunnel to Palo Alto A.

I know that the proper subset (as called by Checkpoint) is not supported in general, but is it not clear which side the proper subset is referred to.

The only option I see is a route-based VPN for the new tunnel. But I thought I will ask here before if there is something different to try.

 

SMS and gateway os R81.10

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2022-08-17 10:54 AM

You'd have to define the encryption domains without overlaps for this to work correctly, I suspect.
If that's not possible, it does probably mean moving to route-based VPNs.

0 Kudos
IT_Eng
Participant
‎2022-08-18 01:36 AM
In response to PhoneBoy

Thanks for the answer.

So I've already tried route-based in the meantime, without success. But, it was configured only on tunnel B so I presume this was the reason that it didn't work.

Any other suggestions? I'm trying PBR as I write this comment.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-08-18 08:26 AM
In response to IT_Eng

Mixing route and domain based VPNs has some limitations: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Namely that domain based VPNs take precedence over route-based VPNs, which is exactly what you're experience here.
PBR probably won't work as I believe domain-based VPNs take priority.

0 Kudos
IT_Eng
Participant
‎2022-08-21 06:45 AM
In response to PhoneBoy

Thanks for your answers!

0 Kudos
motip
Employee
Employee
‎2022-08-23 07:21 AM
In response to IT_Eng

A possible solution may be for the 3rd-party to Statically NAT the overlapping subnet to another subnet that doesn't collide with either their internal subnets or CP VPN domains (probably for the peer having 10.16.100.0/24). From CP side you'll need to define the NAT subnet as part of the peer's encryption domain and remove the overlap section from it.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫