Support Center > Search Results > SecureKnowledge Details
Using "Encryption Domain Per community" feature overrides Encryption Domain for other communities Technical Level
Symptoms
  • Using "Encryption Domain Per community (EDPC)" feature (User Defined) overrides Encryption Domain for other communities.
  • As an example of a problematic subnet, Check Point has a Backend Network, 10.10.10.0/24. A VPN peer sometimes needs to access this Backend Network to negotiate for a specific subnet/host. If in a particular community users use "User Defined" Network (EDPC) and add 10.10.10.8/30, it breaks the connectivity with the Existing tunnels using 10.10.10.0/24.
Cause
This is default behavior according to the design of the Check Point infrastructure used for the EDPC feature. The current design breaks the subnets into different ranges. 

For example, the above subnet (10.10.10.0/24) will be divided into 3 subnets:

10.10.10.0    -  10.10.10.7
10.10.10.8    -  10.10.10.11   (10.10.10.8/30)
10.10.10.12  -  10.10.10.255

The tunnels that only require the /30 Subnet work. However, the current design breaks the connectivity with tunnels that are expecting the /24 subnet. Check Point validates the source against each range and only negotiates that particular range with the peers. Eventually  the peers reject it, as they are expecting the /24 subnet in Phase-II negotiations.


Solution
Note: To view this solution you need to Sign In .