ARs configured with IPSec on two private networks cannot communicate with each other

The possible causes are as follows:
1. The public addresses of two IPSec-enabled ARs cannot be pinged.
2. There is an error in the data flow to be encapsulated with the IPSec header or both IPSec and NAT are performed for the same data flow. You can run the display acl all command to check ACL matching. If both IPSec and NAT are performed for the same data flow, use either of the following method to prevent data flow overlapping:
-Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec.
-The ACL rule referenced by IPSec matches the NAT-translated IP address.
3. The AR incorrectly learns private routes. The outbound interface of the route to the destination private network is not the public network interface enabled with IPSec.

Scroll to top