NAT Issue - Urgent

[1q2w3e]

I am in the process of setting up a Site to Site VPN with a remote client.

Usually we use our private ip address and then after the tunnel is through, remote users are able to ping through.

Now I have a new client who is unfortunately using the same private ip range as us.

My question is If I now add new public address to the node that only had an internal address , will it affect existing VPNs formed that has been using the private address?

e.g.

Node a = 172.16.14.1 and Node b = 172.16.14.2 these are the private addresses used with remote Client site to site VPN.

Now using the same Node a and Node b, I need to add public address to their NAT,

Node a = 172.16.14.1 also 90.172.12.1
Node b = 172.16.14.2 also 90.172.12.2

Will there be an issue?.

If there was going to be, how else can I achieve trying to set up VPN to another site which also have the same internal network as us?

Thanks

[northlandboy]

Depends on how you define your NAT rules. Set it up to not nat for the existing VPNs, that you don't want to break. (I think it's a check box on the VPN settings).

Now you know why those of us who've done this before insist on public addresses for all VPNs to third parties. Always use public IPs, and you don't run into these problems with clashes.

[1q2w3e]

Thanks for your reply. Is this the

'Disable NAT inside the VPN community’

So does that mean, I can go to the site to site VPN of the existing VPN and click on 'Disable NAT inside the VPN community’ and they will not be affected. Leave it unselected for the new VPN and the Nated address will be used.

In fact I have just checked and most of them have this selected even though I am using private addresses. Is this correct?

Thanks

[northlandboy]

Yes, that sounds right.

If you have it selected, and you're using private addresses, you're not going to have any problems. It's when you do want to do NAT that you need it unselected.

[1q2w3e]

I have done this and I get the error

'encryption fail reason: Cannot identify peer for encrypted connection (VPN Error code 02)'

So I have had to go and remove the NAT address for the clients. How can I resolve this?

Luckily not all the VPN users had come onboard. Will the existing users have been affected by the above error message?

Thanks

[northlandboy]

Check out your encryption domains - that sort of error message indicates that you don't have the remote encryption domain properly configured.

[1q2w3e]

Thanks

Encryption domain. Yes I could see that is what the errors means, but how exactly, does it mean i have to make all our public addresses part of the encryption domain. ?

Where do I find this?

[northlandboy]

Usually if I'm doing NAT in a Check Point VPN, I put both the real and public addresses in the local encryption domain.