Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Encryption domain

I have a quick quesiton here in genernal when you set up an encryption domain for an ipsec tunnel the subnet mask

of your encryption domain must match your source/destination subnet mask.  So for example say you have a source

of and destination of and you build your ecryption domain with these subnet.

now say the source end decides to change the source subnet from  to a

that mean on my encryption domain on the VPN device I also need to change it from a /24 to a/27 to match

my source otherwise if I leave my encryption domain  as a /24 when I source from the /27 the source ip will be

denied and the tunnel will not come up because it is expecting a /24 but now it see's a /27 correct?  so inorder

for me to fix this I must change my encryption domain from a /24 to a/27 to match my source subnet of a /27.


Re: Encryption domain

That is correct ,  encryption domain must match at both ends, if your side or other side changes network IDs  pertaining to that particular tunnel policy both ends   must update the access list accordingly in order for the vpn tunnel to successfully come up when sending traffic between the two networks.