diff --git a/rust/connlib/tunnel/src/gateway.rs b/rust/connlib/tunnel/src/gateway.rs
index 2e8bb86fe..50eba0d96 100644
--- a/rust/connlib/tunnel/src/gateway.rs
+++ b/rust/connlib/tunnel/src/gateway.rs
@@ -83,7 +83,7 @@ where
         expires_at: Option<DateTime<Utc>>,
         resource: ResourceDescription,
     ) -> Result<ConnectionAccepted> {
-        let resource_addresses = match &resource {
+        let (resource_addresses, id) = match &resource {
             ResourceDescription::Dns(r) => {
                 let Some(domain) = domain.clone() else {
                     return Err(Error::ControlProtocolError);
@@ -93,9 +93,9 @@ where
                     return Err(Error::InvalidResource);
                 }
 
-                r.addresses.clone()
+                (r.addresses.clone(), r.id)
             }
-            ResourceDescription::Cidr(ref cidr) => vec![cidr.address],
+            ResourceDescription::Cidr(ref cidr) => (vec![cidr.address], cidr.id),
         };
 
         let answer = self.role_state.node.accept_connection(
@@ -113,13 +113,7 @@ where
             Instant::now(),
         );
 
-        self.new_peer(
-            ips,
-            client_id,
-            resource,
-            expires_at,
-            resource_addresses.clone(),
-        )?;
+        self.new_peer(ips, client_id, id, expires_at, resource_addresses.clone())?;
 
         Ok(ConnectionAccepted {
             ice_parameters: Answer {
@@ -167,7 +161,7 @@ where
 
         for address in &addresses {
             peer.transform
-                .add_resource(*address, resource.clone(), expires_at);
+                .add_resource(*address, resource_id, expires_at);
         }
 
         tracing::info!(%client, resource = %resource_id, expires = ?expires_at.map(|e| e.to_rfc3339()), "Allowing access to resource");
@@ -203,15 +197,14 @@ where
         &mut self,
         ips: Vec<IpNetwork>,
         client_id: ClientId,
-        resource: ResourceDescription,
+        resource: ResourceId,
         expires_at: Option<DateTime<Utc>>,
         resource_addresses: Vec<IpNetwork>,
     ) -> Result<()> {
         let mut peer = Peer::new(client_id, PacketTransformGateway::default(), &ips, ());
 
         for address in resource_addresses {
-            peer.transform
-                .add_resource(address, resource.clone(), expires_at);
+            peer.transform.add_resource(address, resource, expires_at);
         }
 
         self.role_state.peers.insert(peer, &ips);
diff --git a/rust/connlib/tunnel/src/peer.rs b/rust/connlib/tunnel/src/peer.rs
index 381e42179..3fe38d006 100644
--- a/rust/connlib/tunnel/src/peer.rs
+++ b/rust/connlib/tunnel/src/peer.rs
@@ -11,10 +11,9 @@ use ip_network::IpNetwork;
 use ip_network_table::IpNetworkTable;
 use pnet_packet::Packet;
 
-use crate::gateway::ResourceDescription;
 use crate::ip_packet::MutableIpPacket;
 
-type ExpiryingResource = (ResourceDescription, Option<DateTime<Utc>>);
+type ExpiryingResource = (ResourceId, Option<DateTime<Utc>>);
 
 // The max time a dns request can be configured to live in resolvconf
 // is 30 seconds. See resolvconf(5) timeout.
@@ -149,16 +148,13 @@ impl PacketTransformGateway {
     }
 
     pub(crate) fn remove_resource(&mut self, resource: &ResourceId) {
-        self.resources.retain(|_, (r, _)| match r {
-            connlib_shared::messages::ResourceDescription::Dns(r) => r.id != *resource,
-            connlib_shared::messages::ResourceDescription::Cidr(r) => r.id != *resource,
-        })
+        self.resources.retain(|_, (r, _)| r != resource)
     }
 
     pub(crate) fn add_resource(
         &mut self,
         ip: IpNetwork,
-        resource: ResourceDescription,
+        resource: ResourceId,
         expires_at: Option<DateTime<Utc>>,
     ) {
         self.resources.insert(ip, (resource, expires_at));