There are a few ways that you could possibly accomplish this. First, try to ascertain whether or not 10.1.1.31 is absolutely required in Customer1's VPN. If that host must specifically send or receive traffic inside Customer1's VPN, then there isn't much you can do without implementing NAT. However, if it is not an active host in Customer1's network, then this should be fairly simple to achieve.
The easiest solution without getting too complex is to use a group with exclusion on the customer1 VPN domain. Create a group with exclusion that includes 10.1.1.0 but excludes 10.1.1.31 . Then set the 10.1.1.31 object as the VPN domain for customer2. That should prevent the overlap of the VPN domains. The disadvantage is that VPN-1 might negotiate a key for the incorrect subnet size, but that can be overridden by making manual entries in user.def if needs be. Another way to accomplish this is to set both the encryption domains to a blank group, and use Virtual Tunnel Interfaces (VTIs) to manually route both ranges to the relevant tunnel interface that is associated with the remote peer. The more-specific route for the single host should force only that traffic into Customer2's VPN. Try to avoid using NAT on your side to accomplish this, as it gets tricky with regards to the inspection order and the VPN domain entries. Hope this helps. Matt -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of securitystig Sent: 04 August 2010 04:26 PM To: [email protected] Subject: [FW-1] Two remote VPN peers with same internal subnet (not with gateway) Hi, I have a single R71.10 gateway with two simplified star (unmeshed) vpns to two remote peers each sharing same internal range (one uses one ip) and refuse the NAT. Note - This is not a overlap between two gateways - here the same internal subnet is assigned on two different communities, mygateway --------- customer1gateway(inside 10.1.1.0/24) mygateway ---------customer2gateway(inside 10.1.1.31/32) The policy installs but both communities are ignored (install errors). As the customer refuses to NAT their inside range on their side are there any other potential solutions? This UTM-1 replaces a G2 Sidewinder that's working fine with two peers with same address ranges. Thoughts? Eric ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
