Support Center > Search Results > SecureKnowledge Details
Using "Encryption Domain Per community" feature overrides Encryption Domain for other communities Technical Level
Symptoms
  • Using "Encryption Domain Per community (EDPC)" feature (User Defined) overrides Encryption Domain for other communities.
  • Check Point has a Backend Network of 10.10.10.0/24, that sometimes a peer requires to negotiate for a specific subnet/host. If in a particular community users use "User Defined" Network (EDPC) and add 10.10.10.8/30, it breaks the connectivity with the Existing tunnels using 10.10.10.0/24.
Cause
This is because of the Check Point infrastructure that is used for the EDPC feature. The current design will break the subnets into different ranges. 

For example, the above subnet (10.10.10.0/24) will be divided into 3 subnets:

10.10.10.0    -  10.10.10.7
10.10.10.8    -  10.10.10.11   (10.10.10.8/30)
10.10.10.12  -  10.10.10.255

The tunnels that only require the /30 Subnet work, However, the current design breaks the connectivity with tunnels that are expecting the /24 subnet. Check Point validates the source against each range and only negotiates that particular range with the peers. Eventually  the peers reject it, as they are expecting the /24 subnet in Phase-II negotiations.


Solution
Note: To view this solution you need to Sign In .