Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckPointer_IT
Collaborator

IKE IDs is smaller than Encryption Domain definition

Hi all,

very small setup:

S2S VPN Domain based, my enc domain has only 10.10.0.0/16,

Anyway, what i found by vpn tu is that my ike id is 10.10.0.0/17.

Trying to connect to a host inside 10.10.128.0/17, I get a new IKE id with a /32 on my side, this is related to the host IP of course.

I checked all my communities, but it seems that this behavior is not linked to sk170857.

So, why this happens?

Maybe some NAT rule inside 10.10.128.0/17 is breaking the subnet because of the natted IP which is not in peer's enc domain?

 

thanks a lot

 
0 Kudos
5 Replies
the_rock
Champion
Champion

Go to guidbedit and search for supernet, ike_use...cant remember exact values now, but may have to do with those.

0 Kudos
CheckPointer_IT
Collaborator

do you mean ike_use_largest_possible_subnets ?

It seems that i'm facing the opposite problem...

0 Kudos
the_rock
Champion
Champion

Yes, that, but also any supernet setting, turn it to false.

Vladimir
Champion
Champion

Check the VPN community settings to see if it is configured "per pair of hosts".

0 Kudos
CheckPointer_IT
Collaborator

Hello Vladimir,

Thank you for your feedback.

Of course is configured "per subnet pair", domain based setup.

Next hours i will check for previous mentioned dnguiedt value