topic Re: S2S VPN and Encryption Domain in Firewall and Security Management

S2S VPN and Encryption Domain

BikeMan — Thu, 09 Nov 2023 12:46:55 GMT

Hello all,

Having an issue using VPN between CP peers.

I have 3 peers (R81.10 hfa110) managed by the same CMA: P1, P2, P3.

Each peers have their own private network: N1,N2,N3.

I have 2 communities:

C1: P2-P3

C2:P3-P1.

N2 can reach N3 each other using VPN C1 and it is working fine.

From N1, I have to reach N2 using a MPLS network, BUT when some specifics ip from N1 has to reach some specific IP in N2 we want to use VPN C2.

So, within C1 I have the following encryption domain (defined per community):

P2=N2

P3=N3

And wihtin C2:

P3= few ip within N3

P1=N1.

And sometimes communication between N2-N3 doesn't work (vpn errro 01: wrong peer).

Running the vpn overlap_encdom, I have the following error: "Same destination adress can be reached in more the one community. This configuration is not supported."

Does that really mean an ip can't be part of several communities ?

Many thanks for your help.

Rgds,

Re: S2S VPN and Encryption Domain

CaseyB — Thu, 09 Nov 2023 15:40:17 GMT

An IP can be a part of several communities, the problem is there are duplicate destination IPs within multiple communities. That is why NAT was invented.

It seems like P3 talks to P1 and P2, why not just make a single Star VPN community and route traffic that way? Or possibly set them all up in a Mesh VPN community?

Re: S2S VPN and Encryption Domain

BikeMan — Thu, 14 Dec 2023 08:44:17 GMT

For sure I would prefer to create a complete Mesh VPN. But customer doesn't want to...

As far as I know the same destination ip can be part of several communities (without using NAT).