The simple answer to your question is yes, a /32 entity on one side of the tunnel should work if the network is defined as a /24 on both sides. It is not like a prefix list or dynamic routing protocol where the subnet masks need to match. The network statements in the Phase 2 portion of the IPSEC tunnel (which defines which traffic traverses the tunnel) are defined via ACLs, so as long as the traffic meets the criteria of the ACL then it will pass over the tunnel. Having said that, your phase 2 tunnel should have never been created in your /24 & /25 example because the network statements didn't match - that is odd. Maybe your tunnels matched but you didn't exclude some of the traffic from being NAT'ed? As you alluded to, however, the phase 2 portions of the tunnel (aka security association) have to be mirror images. If you are using two ASAs then you can simply reverse the ACL source and destination. If you are doing ASA to say, a netscreen, it may be a little more complex depending on if you are doing route or policy based ipsec on that side. If you can not get the /32 device to work for some reason you can also create another security association specific to that traffic.
... View more
Hi, Thanks for your input... Yes i know that when will keepalive packet gets looped.. but my question is how can i check which switch started this STP convergence at first .. to add i checked the TCN but no luck as it was all pointing to 10 to 15 switch's each time .. as this LAN was not properly configured (say portfast , or any other feature's).... As of the i have done with the MST migration and fixed everything ... but still i dont get the ans for my initial question of which switch started that convergence... Anyhow thanks for all your valuable input... Regards, Kamal
... View more