I’m trying to create a tunnel from our local network which is 10.0.0.0/24 and basically we are connecting to another router that has a bunch of class b 10.x.x.x subnets so I created a policy in IPsec on both routers to say the src address is 10.0.0.0/24 and the dst address is 10.0.0.0/8 but I think it’s getting confused when I try and do that so I tried to make individual policies for each 10.1.0.0/16 class b but on the other router we are connected it the log shows decrypted packet did not match policy when I have a policy there for that network? Do the policys have to exist upon establishing the peer connection? Can they not be created after it’s established?
Your problem is that the subnets at each end of the link overlap. 10.0.0.0/24 includes all of the 10.0.0.0/8 networks so the router can’t determine the correct destination.
Yes, the policy must exist before the link is established.
Kind regards
Andrew