Overlapping encryption domains issue

[robori]

Hello guys,

I have a site-to-site VPN between one partner company and the Remote Access VPN (SecuRemote) in the same firewall. It´s running Ngx R60.

I´ve been receiving the error "Packet dropped due to no valid SA" in the logs, the problem is intermitent, and I think it´s because of the way Encryption domains are configured.

In the site-to-site VPN, the remote network is smth like 150.95.132.0/24 and this is configured in the Encryption domain for the firewall. However, in my Remote Access VPN (SecuRemote), there´s network 150.95.0.0/16 in the Encryption domain. It´s kindda wierd but it´s setup like this.

Do you think this overlapping encryption domain could be the reason why I´m getting the Ipsec SA errors ?


Please help me if you have any ideas!


Thanks in advance,
Robori

[gavvys]

Hi
Well you can try the following resolution, if you are getting the error "packet is dropped as there is no valid SA"
I hope you have access to Secureknowlede, try the resolution sk22752.


I hope that will help you.

Regards
Ranjit

[robori]

Thank you! But the thing is that this Site-To-Site VPN is using Shared Secrets instead of Certificates, and it´s working for other source networks just this one is not working.

[gavvys]

Hi
Thank you for the informaiton.
Well if you have same network on both sides then it will create the problem of Overlapping domains.
Now the resoluton to this issue you need to create the NATting rules and the dummy networks.
Well there is a resolution at cehckpoint site sk14569
Kindly go through it, I hope it will help you to resolve the issue.
Also read the limitations also.

Regards
ranjit

[vijayant]

try the command : vpn overlap_encdom on Smart center

Domains are overlaping only if both the gateways on your end and at the remote end participating in the VPN have the same network defined in the VPN domain.