Encryption domain

Unanswered Question
Feb 5th, 2010
User Badges:

I have a quick quesiton here in genernal when you set up an encryption domain for an ipsec tunnel the subnet mask

of your encryption domain must match your source/destination subnet mask.  So for example say you have a source

of and destination of and you build your ecryption domain with these subnet.

now say the source end decides to change the source subnet from  to a

that mean on my encryption domain on the VPN device I also need to change it from a /24 to a/27 to match

my source otherwise if I leave my encryption domain  as a /24 when I source from the /27 the source ip will be

denied and the tunnel will not come up because it is expecting a /24 but now it see's a /27 correct?  so inorder

for me to fix this I must change my encryption domain from a /24 to a/27 to match my source subnet of a /27.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Fri, 02/05/2010 - 15:15
User Badges:
  • Green, 3000 points or more

That is correct ,  encryption domain must match at both ends, if your side or other side changes network IDs  pertaining to that particular tunnel policy both ends   must update the access list accordingly in order for the vpn tunnel to successfully come up when sending traffic between the two networks.



This Discussion