Encryption domain - object types

babicmilan — Tue, 22 Nov 2022 15:10:57 GMT

Hello,

I'm interested in Site to Site VPN local and remote encryption domain object types.

In some situations I have noticed that VPN Phase 2 doesn't work if I use in local and remote encryption domain objects type "host"

Lets assume:

Group_local_encryption_domain:

If I change objects type "host" to be "network" objects with mask /32 Phase 2 is up and everything works fine.

Group_local_encryption_domain:

Please, can someone confirm me that objects inside local or remote encryption domain must be type "network"?

Best regards.

Re: Encryption domain - object types

PhoneBoy — Tue, 22 Nov 2022 17:31:49 GMT

IPSEC Tunnels are negotiated typically based on subnet, not host (though it's configurable).
That implies the use of network (not host) objects.