Technical Tip: How to combine two phase two selectors in IPsec VPN into one phase two selector using super net

In this example, subnets of two selectors are to be combined into one super net. 

Subnet of first phase two selector: 192.168.98.0/26
Subnet of second phase two selector: 192.168.100.0/24

Step 1: Determine the IP ranges.

192.168.98.0/26
Subnet mask: 255.255.255.192
Range: 192.168.98.0 to 192.168.98.63

192.168.100.0/24
Subnet mask: 255.255.255.0
Range: 192.168.100.0 to 192.168.100.255

Step 2: Find the smallest network that covers both networks. 

192.168.98.0 (lowest IP)
192.168.100.255 (highest IP)

Convert to binary to find the common prefix:
192.168.98.0 → 11000000.10101000.01100010.00000000
192.168.100.255 → 11000000.10101000.01100100.11111111

Step 3: Compare bit by bit.

The two subnets match for the first 21 bits.

Hence, super net is 192.168.96.0/21 . (192.168.96.0 255.255.248.0) 

Step 4: Apply the super net in a single-phase two-selector as required.

If the add route is enabled, a '/21' route for the super net will be added automatically after merging. If the add route is disabled, the route summarization can be carried out manually with the super net over the tunnel interface.