Using "Encryption Domain Per community" feature overrides Encryption Domain for other communities

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk170857
Technical Level
Product	IPSec VPN
Version	R80.40, R81, R81.10, R81.10.x, R81.20
OS	Gaia
Platform / Model	All
Date Created	10-Dec-2020
Last Modified	22-Feb-2023

Symptoms

Using "Encryption Domain Per community (EDPC)" feature (User Defined) overrides Encryption Domain for other communities.
As an example of a problematic subnet, Check Point has a Backend Network, 10.10.10.0/24. A VPN peer sometimes needs to access this Backend Network to negotiate for a specific subnet/host. If in a particular community users use "User Defined" Network (EDPC) and add 10.10.10.8/30, it breaks the connectivity with the Existing tunnels using 10.10.10.0/24.

Cause

This is default behavior according to the design of the Check Point infrastructure used for the EDPC feature. The current design breaks the subnets into different ranges.

For example, the above subnet (10.10.10.0/24) is divided into 3 subnets:

from 10.10.10.0 to 10.10.10.7
from 10.10.10.8 to 10.10.10.11 (10.10.10.8/30)
from 10.10.10.12 to 10.10.10.255

The only tunnels that work are those that require the /30 subnet. However, the current design breaks the connectivity with tunnels that require the /24 subnet.

Check Point validates the source against each range and only negotiates that particular range with the peers.

Eventually, the peers reject it, as they are expecting the /24 subnet in Phase-II negotiations.

Solution

Note: To view this solution you need to Sign In .