Create a Post
Showing results for 
Search instead for 
Did you mean: 

VPN Community Subnet exclusion


I have a configuration on which I have differents Community (R77.30 GW) and I have some overlapping subnet in the vpn encryption. the first community (community1) include 3 CKPS Gateway, each gateway have a 10.6.x.0/24 on his VPN domain (, for the first gateway, for the second, ...) and the communication work fine. I need yet add a new community (community2) to a central location (interoperable gateway - SOPHOS Firewall) and this IG present a subnet in his VPN Domain and phase 2 subnet. When I define this new Community, the communication between 10.6.x.0/24 subnet stop working. I have found the 'Excluding subnets in encryption domain from accessing a specific VPN community' - sk86582, that explain the crypt.def management, but since my goal is to exclude the flow between all the 10.6.x.0/24 subnets in the new community (community2), I don't found the way in the crypt.def file to define a specific community to be sure the exclusion are only applied to the community2 ? Does somebody have an idea about this configuration ?


1 Reply

The crypt.def modifications are based on destination IP.

Destination IPs are presumed to be unique between all defined VPN communities (otherwise, you have bigger issues).