Overlapping subnets in IPSec VPN policy rules returns a validation error
book
Article ID: 325098
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms: If a user has configured IPSec VPN policy rules with overlapping subnets across multiple sessions, you see this symptom:
The API returns a validation error.
Environment
VMware NSX-T Data Center 2.x VMware NSX-T Data Center
Cause
This issue occurs as VMware currently does not allow overlapping subnets in IPSec VPN policy rules across multiple sessions.
Resolution
To resolve this issue, VMware has added a notion of policy rule priority on IPSec VPN Session. The overlapping subnets will continue to be block if the multiple sessions have the same priority. In order to allow overlapping subnets across multiple sessions, the user needs to provide a tag with a different priority while creating the IPSec VPN Session.
Additional Information
Sample Tag
Along with other configuration of IPSec VPN Session, the user needs to provide the following tag:
scope - policy_rule_priority tag - 5 // Allowed range is 1 to 10