diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
index 4ac3b006e3..3541e3d380 100644
--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -608,7 +608,9 @@ data:
 {{- if .Values.encryption.strictMode.enabled }}
   enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled | quote }}
 
-  encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr | quote }}
+  encryption-strict-mode-node-cidrs: {{ .Values.encryption.strictMode.nodeCIDRList | join " " | quote }}
+
+  encryption-strict-mode-pod-cidrs: {{ .Values.encryption.strictMode.podCIDRList | join " " | quote }}
 
   encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities | quote }}
 {{- end }}
diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
index c00e9af831..4661c16f56 100644
--- a/install/kubernetes/cilium/values.yaml
+++ b/install/kubernetes/cilium/values.yaml
@@ -794,17 +794,21 @@ encryption:
   # This option is only effective when encryption.type is set to "wireguard".
   nodeEncryption: false
 
-  # -- Configure the WireGuard Pod2Pod strict mode.
+  # -- Configure the WireGuard strict mode.
   strictMode:
-    # -- Enable WireGuard Pod2Pod strict mode.
+    # -- Enable WireGuard strict mode.
     enabled: false
+
+    # -- podCIDRList for the WireGuard strict mode.
+    podCIDRList: []
 
-    # -- CIDR for the WireGuard Pod2Pod strict mode.
-    cidr: ""
+    # -- nodeCIDRList for the WireGuard strict mode.
+    nodeCIDRList: []
 
     # -- Allow dynamic lookup of remote node identities.
     # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
-    allowRemoteNodeIdentities: false
+    # This is also required when control-plane nodes are exempted from node-to-node encryption.
+    allowRemoteNodeIdentities: true
 
   ipsec:
     # -- Name of the key file inside the Kubernetes secret configured via secretName.