Client VPN Authorization Rules


I have clients setup with mutual authentication and looking to setup some authorization rules but hitting an issue where the authorization rules don't seem to work for anything smaller than /16 subnet.

For example I have the following setup

VPC Network -

Client A - Member of AD Group A
Client B - Member of AD Group B

AD Group A has authorization rule to allow access to
AD Group B has authorization rule to allow access to

Route Table has route to

Client A and B are both able to connect successfully

Client B can ping but Client A cannot

If I change the authorization rule for AD Group A to match AD Group B the ping works.

Seems like I am missing something or there is an issue with the authorization interpretation of smaller subnets.

Edited by: Hockercs on Feb 15, 2019 9:25 AM

asked 5 years ago224 views
1 Answer

The authorization rule order is significant and once a network match is found it stops processing additional rules.

So authorization rule for must appear higher in the list than

Also for Client B that should have access to the entire subnet those users will need to be members of both AD Group A and AD Group B in order for them to get access to and the rest of the /16 subnet.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions