VPN Community Subnet exclusion

Herve_SCHLECHT — Fri, 20 Jul 2018 09:12:31 GMT

Hello,

I have a configuration on which I have differents Community (R77.30 GW) and I have some overlapping subnet in the vpn encryption. the first community (community1) include 3 CKPS Gateway, each gateway have a 10.6.x.0/24 on his VPN domain (10.6.1.0/24, for the first gateway, 10.6.2.0/24 for the second, ...) and the communication work fine. I need yet add a new community (community2) to a central location (interoperable gateway - SOPHOS Firewall) and this IG present a 10.0.0.0/8 subnet in his VPN Domain and phase 2 subnet. When I define this new Community, the communication between 10.6.x.0/24 subnet stop working. I have found the 'Excluding subnets in encryption domain from accessing a specific VPN community' - sk86582, that explain the crypt.def management, but since my goal is to exclude the flow between all the 10.6.x.0/24 subnets in the new community (community2), I don't found the way in the crypt.def file to define a specific community to be sure the exclusion are only applied to the community2 ? Does somebody have an idea about this configuration ?

BRgds

Re: VPN Community Subnet exclusion

PhoneBoy — Fri, 20 Jul 2018 19:56:58 GMT

The crypt.def modifications are based on destination IP.

Destination IPs are presumed to be unique between all defined VPN communities (otherwise, you have bigger issues).

topic Re: VPN Community Subnet exclusion in Firewall and Security Management

VPN Community Subnet exclusion

Re: VPN Community Subnet exclusion