cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

VPN Community Subnet exclusion

Hello,

I have a configuration on which I have differents Community (R77.30 GW) and I have some overlapping subnet in the vpn encryption. the first community (community1) include 3 CKPS Gateway, each gateway have a 10.6.x.0/24 on his VPN domain (10.6.1.0/24, for the first gateway, 10.6.2.0/24 for the second, ...) and the communication work fine. I need yet add a new community (community2) to a central location (interoperable gateway - SOPHOS Firewall) and this IG present a 10.0.0.0/8 subnet in his VPN Domain and phase 2 subnet. When I define this new Community, the communication between 10.6.x.0/24 subnet stop working. I have found the 'Excluding subnets in encryption domain from accessing a specific VPN community' - sk86582, that explain the crypt.def management, but since my goal is to exclude the flow between all the 10.6.x.0/24 subnets in the new community (community2), I don't found the way in the crypt.def file to define a specific community to be sure the exclusion are only applied to the community2 ? Does somebody have an idea about this configuration ?

BRgds

1 Reply
Admin
Admin

Re: VPN Community Subnet exclusion

The crypt.def modifications are based on destination IP.

Destination IPs are presumed to be unique between all defined VPN communities (otherwise, you have bigger issues).