Usually when your firewall policy is not configured properly, Checkpoint SmartDashboard will notify you with useful details when you verify or install it. But sometimes, those information will make you feel lost. I met one case recently.
I worked on one IPSec VPN configuration from my vpn gateway fw-ras to customer’s gateway. The interesting traffic is from Customer public ip to our server’s public ip address 20.153.121.59 which is NAT-ed to internal ip address 10.1.106.59. On my gateway’s vpn domain includes this public ip 20.153.121.59 and Internal Segment 10.1.106.x/24.
The VPN works fine. Customer was able to reach us through IPSec VPN Tunnel. By the way I am using default NAT behaviour which is NAT happening on client side. The issue I met is the Partial Overlapping Encryption Domains warning message when I verified and installed policy.
Symptons:
Here is screenshots and copied error / warning messages:
“Network Security Policy ‘Standard’ was prepared on Wed Aug 26 13:36:44 2015.
The following errors and warnings exist: The gateways fw-ras and vpnm have partial overlapping encryption domains. Therefore, Endpoint Connect users will not support MEP configuration SecureRemote/SecureClient users will not be able to create site. If any of the GWs should not be exported to SR/SC, please remove it from the RemoteAccess community or uncheck the exportable for SR box. The overlapping domain include : 10.1.72.14 – 10.1.72.16 The exclusive domain of fw-ras include: 20.153.121.59 – 20.153.121.62 The exclusive domain of vpnm include: 10.1.240.0 – 10.1.240.255″
Basically it mentioned some ip addresses are used in multiple vpn domains, especially in RemoteAccess community. But I double checked both gateways fw-ras and vpnm, their encryption domains are not overlapping at all.
Interesting things, if I removed 20.153.121.59 from vpn encryption domain of gateway fw-ras, this error/warning message disappeared. But IPSec vpn configuration will need this public ip address to make sure the traffic can be encrypted and sent to customer’s gateway.
Solutions:
After unchecked the Exportable for SecuRemote/SecureClient, the installation is flawless.