Encryption domain composed of contiguous subnets

[BarryStiefel]

Encryption domain composed of contiguous subnets



The encryption domain is composed of the following subnets:

• 192.168.10.0/24
• 192.168.11.0/24

The distant end gateway of the VPN is a netscreen and he has my encryption domain set up as 192.168.11.0/24 this configuration worked with a Checkpoint 4.1 SP5 firewall.

Communications to 192.168.11.0/24 fails to talk to his network. No SA was the reason for the drops.

Checkpoint NG sees 192.168.10.0/24 and 192.168.11.0/24 as contiguous and supernets them to 192.168.10.0/23 for the IKE negotiations resulting in an encryption domain mismatch between NG and Netscreen. Redefining the encryption domain on the netscreen solved the problem.

Has anyone run into issues where NG helpfully consolidates contiguous networks rather than handling them discretely?

Answer There is a property ike_use_largest_possible_subnets that is set to true. You need to set this to false. However, there is a bug that prevents this property from working. in NG FP3, you will need to obtain the latest Hotfix Accumulator and read the release notes for additional instructions.



-- RobertGraham - 07 Jan 2004

FAQForm FAQs.Class: EncryptionFAQs FAQs.OS: FAQs.Version: