Wednesday, August 26, 2015

Check Point Error: Partial Overlapping Encryption Domains When Verifying or Installing Policy

Usually when your firewall policy is not configured properly, Checkpoint SmartDashboard will notify you with useful details when you verify or install it. But sometimes, those information will make you feel lost. I met one case recently.

I worked on one IPSec VPN configuration  from my vpn gateway fw-ras to customer's gateway. The interesting traffic is from Customer public ip to our server's public ip address 20.153.121.59 which is NAT-ed to internal ip address 10.1.106.59. On my gateway's vpn domain includes this public ip 20.153.121.59 and Internal Segment 10.1.106.x/24.

The VPN works fine. Customer was able to reach us through IPSec VPN Tunnel. By the way I am using default NAT behaviour which is NAT happening on client side. The issue I met is the Partial Overlapping Encryption Domains warning message when I verified and installed policy.




Symptons:

Here is screenshots and copied error / warning messages:


"Network Security Policy 'Standard' was prepared on Wed Aug 26 13:36:44 2015.

The following errors and warnings exist: The gateways fw-ras and vpnm have partial overlapping encryption domains. Therefore, Endpoint Connect users will not support MEP configuration SecureRemote/SecureClient users will not be able to create site. If any of the GWs should not be exported to SR/SC, please remove it from the RemoteAccess community or uncheck the exportable for SR box. The overlapping domain include : 10.1.72.14 - 10.1.72.16 The exclusive domain of fw-ras include: 20.153.121.59 - 20.153.121.62 The exclusive domain of vpnm include: 10.1.240.0 - 10.1.240.255"

Basically it mentioned some ip addresses are used in multiple vpn domains, especially in RemoteAccess community. But I double checked both gateways fw-ras and vpnm, their encryption domains are not overlapping at all.

Interesting things, if I removed  20.153.121.59 from vpn encryption domain of gateway fw-ras, this error/warning message disappeared. But IPSec vpn configuration will need this public ip address to make sure the traffic can be encrypted and sent to customer's gateway.


Solutions:

Good thing in the message is it mentioned "If any of the GWs should not be exported to SR/SC, please remove it from the RemoteAccess community or uncheck the exportable for SR box". Since the gateway fw-ras is not in RemoteAccess community, the only option for me is to uncheck the exportable for SR box.

I found the option in the gateway's properties window -> IPSec VPN -> Traditional mode configuration...:



After unchecked the Exportable for SecuRemote/SecureClient, the installation is flawless.

Reference:

sk101986 - "The gateways XXX and YYY have partial overlapping encryption domains" error during Policy Verification


No comments:

Post a Comment