Encryption domain

Unanswered Question
Feb 5th, 2010

I have a quick quesiton here in genernal when you set up an encryption domain for an ipsec tunnel the subnet mask

of your encryption domain must match your source/destination subnet mask.  So for example say you have a source

of  170.132.128.0/24 and destination of 168.162.30.240/28 and you build your ecryption domain with these subnet.

now say the source end decides to change the source subnet from 170.132.128.0/24  to a 170.132.128.96/27

that mean on my encryption domain on the VPN device I also need to change it from a /24 to a/27 to match

my source otherwise if I leave my encryption domain  as a /24 when I source from the /27 the source ip will be

denied and the tunnel will not come up because it is expecting a /24 but now it see's a /27 correct?  so inorder

for me to fix this I must change my encryption domain from a /24 to a/27 to match my source subnet of a /27.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 02/05/2010 - 15:15

That is correct ,  encryption domain must match at both ends, if your side or other side changes network IDs  pertaining to that particular tunnel policy both ends   must update the access list accordingly in order for the vpn tunnel to successfully come up when sending traffic between the two networks.

Regards

Actions

This Discussion