- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- S2S VPN and Encryption Domain
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
S2S VPN and Encryption Domain
Hello all,
Having an issue using VPN between CP peers.
I have 3 peers (R81.10 hfa110) managed by the same CMA: P1, P2, P3.
Each peers have their own private network: N1,N2,N3.
I have 2 communities:
C1: P2-P3
C2:P3-P1.
N2 can reach N3 each other using VPN C1 and it is working fine.
From N1, I have to reach N2 using a MPLS network, BUT when some specifics ip from N1 has to reach some specific IP in N2 we want to use VPN C2.
So, within C1 I have the following encryption domain (defined per community):
P2=N2
P3=N3
And wihtin C2:
P3= few ip within N3
P1=N1.
And sometimes communication between N2-N3 doesn't work (vpn errro 01: wrong peer).
Running the vpn overlap_encdom, I have the following error: "Same destination adress can be reached in more the one community. This configuration is not supported."
Does that really mean an ip can't be part of several communities ?
Many thanks for your help.
Rgds,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An IP can be a part of several communities, the problem is there are duplicate destination IPs within multiple communities. That is why NAT was invented.
It seems like P3 talks to P1 and P2, why not just make a single Star VPN community and route traffic that way? Or possibly set them all up in a Mesh VPN community?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For sure I would prefer to create a complete Mesh VPN. But customer doesn't want to...
As far as I know the same destination ip can be part of several communities (without using NAT).
