This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckPointer_IT
Collaborator
‎2022-06-25 03:59 AM

IKE IDs is smaller than Encryption Domain definition

Hi all,

very small setup:

S2S VPN Domain based, my enc domain has only 10.10.0.0/16,

Anyway, what i found by vpn tu is that my ike id is 10.10.0.0/17.

Trying to connect to a host inside 10.10.128.0/17, I get a new IKE id with a /32 on my side, this is related to the host IP of course.

I checked all my communities, but it seems that this behavior is not linked to sk170857.

So, why this happens?

Maybe some NAT rule inside 10.10.128.0/17 is breaking the subnet because of the natted IP which is not in peer's enc domain?

 

thanks a lot

 
Labels
0 Kudos
5 Replies
the_rock
Champion
Champion
‎2022-06-25 04:05 AM

Go to guidbedit and search for supernet, ike_use...cant remember exact values now, but may have to do with those.

0 Kudos
CheckPointer_IT
Collaborator
‎2022-06-25 04:09 AM
In response to the_rock

do you mean ike_use_largest_possible_subnets ?

It seems that i'm facing the opposite problem...

0 Kudos
the_rock
Champion
Champion
‎2022-06-25 04:11 AM
In response to CheckPointer_IT

Yes, that, but also any supernet setting, turn it to false.

Vladimir
Champion
Champion
‎2022-06-25 01:04 PM

Check the VPN community settings to see if it is configured "per pair of hosts".

0 Kudos
CheckPointer_IT
Collaborator
‎2022-06-25 03:15 PM
In response to Vladimir

Hello Vladimir,

Thank you for your feedback.

Of course is configured "per subnet pair", domain based setup.

Next hours i will check for previous mentioned dnguiedt value