Hi Timothy,

I tried setting subnet_for_range_and_peer as 10.x.x.x/24 and unsetting the supernet flag, but it didn't help.

The problem isn't the Check Point's topology which is correctly 0/0, but the topology of the remote end which should be the /24. The Check Point doesn't propose to negotiate SA using that /24.

Thanks

Jamie

What version are you on? There are some settings in gudbedit related to this, I listed some below that might be relevant to your issue, which is pretty much sk Tim provided.

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnet

Technically, all those should be set to false, as otherwise, it would make CP send largest subnet, regardless if thats what you want or not.

Andy

Does your custom subnet per peer definition show up in command fw tab -t subnet_for_range_and_peer when run on the gateway?  If not you didn't modify the correct user.def* file for your gateway version.

If you are using at least R80.40 on your SMS you are able to precisely customize the local and remote Proxy-IDs/VPN Domains being requested by the Check Point on the Gateways screen of the VPN Community, and this will still work on gateways older than R80.40 as long as you have at least R80.40 on your SMS.

Hi all,

Firewall and manager are R81. user.def.FW1 is the file I edited, and the range is shown:

localhost:
-------- subnet_for_range_and_peer --------
static, id 540
<cb00713a, 0a1fef00, 0a1fefff; ffffff00>

In the community settings I set ike_p2_enable_supernet_from_R80.20 to false.

I changed global ike_use_largest_possible_subnets to false and pushed policy, but still failing. My test Juniper firewall shows:

Traffic-selector mismatch, vpn name: CHECKPOINT-VTI, Peer Proposed traffic-selector local-ip: ipv4(0.0.0.0-255.255.255.255), Peer Proposed traffic-selector remote-ip: ipv4(0.0.0.0-255.255.255.255)

Here's the globals before I edited the supernet:

There must be something else I'm missing but I can't see what.