Overlapping subnets in IPSec VPN policy rules returns a validation error
Article ID: 325098
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
If a user has configured IPSec VPN policy rules with overlapping subnets across multiple sessions, you see this symptom:
If a user has configured IPSec VPN policy rules with overlapping subnets across multiple sessions, you see this symptom:
- The API returns a validation error.
Environment
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
This issue occurs as VMware currently does not allow overlapping subnets in IPSec VPN policy rules across multiple sessions.
Resolution
To resolve this issue, VMware has added a notion of policy rule priority on IPSec VPN Session. The overlapping subnets will continue to be block if the multiple sessions have the same priority. In order to allow overlapping subnets across multiple sessions, the user needs to provide a tag with a different priority while creating the IPSec VPN Session.
Additional Information
Sample Tag
Along with other configuration of IPSec VPN Session, the user needs to provide the following tag:scope - policy_rule_priority
tag - 5 // Allowed range is 1 to 10
Feedback
Yes
No
Powered by
