IKE IDs is smaller than Encryption Domain definiti...

CheckPointerXL · ‎2022-06-25

Hi all,

very small setup:

S2S VPN Domain based, my enc domain has only 10.10.0.0/16,

Anyway, what i found by vpn tu is that my ike id is 10.10.0.0/17.

Trying to connect to a host inside 10.10.128.0/17, I get a new IKE id with a /32 on my side, this is related to the host IP of course.

I checked all my communities, but it seems that this behavior is not linked to sk170857.

So, why this happens?

Maybe some NAT rule inside 10.10.128.0/17 is breaking the subnet because of the natted IP which is not in peer's enc domain?

thanks a lot

the_rock · ‎2022-06-25

Go to guidbedit and search for supernet, ike_use...cant remember exact values now, but may have to do with those.

CheckPointerXL · ‎2022-06-25

do you mean ike_use_largest_possible_subnets ?

It seems that i'm facing the opposite problem...

the_rock · ‎2022-06-25

Yes, that, but also any supernet setting, turn it to false.

Vladimir · ‎2022-06-25

Check the VPN community settings to see if it is configured "per pair of hosts".

CheckPointerXL · ‎2022-06-25

Hello Vladimir,

Thank you for your feedback.

Of course is configured "per subnet pair", domain based setup.

Next hours i will check for previous mentioned dnguiedt value

Are you a member of CheckMates?