Overlapping subnets in IPSec VPN policy rules returns a validation error
search cancel

Overlapping subnets in IPSec VPN policy rules returns a validation error

book

Article ID: 325098

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
If a user has configured IPSec VPN policy rules with overlapping subnets across multiple sessions, you see this symptom:
  • The API returns a validation error.


Environment

VMware NSX-T Data Center 2.x
VMware NSX-T Data Center

Cause

This issue occurs as VMware currently does not allow overlapping subnets in IPSec VPN policy rules across multiple sessions.

Resolution

To resolve this issue, VMware has added a notion of policy rule priority on IPSec VPN Session. The overlapping subnets will continue to be block if the multiple sessions have the same priority. In order to allow overlapping subnets across multiple sessions, the user needs to provide a tag with a different priority while creating the IPSec VPN Session.

Additional Information

Sample Tag

Along with other configuration of IPSec VPN Session, the user needs to provide the following tag:

scope - policy_rule_priority
tag - 5 // Allowed range is 1 to 10