Reason why devices on two private networks cannot communicate after IPSec is configured on the AR

Devices on two private networks fail to communicate with each other after IPSec is configured. The possible causes are as follows:
-The public addresses of two IPSec-enabled devices cannot be pinged.
-There is an error in the data flow to be encapsulated with the IPSec header or both IPSec and NAT are performed for the same data flow. You can run the display acl all command to check ACL matching. If both IPSec and NAT are performed for the same data flow, use either of the following method to prevent data flow overlapping:
-Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec.
-The ACL rule referenced by IPSec matches the NAT-translated IP address.
-The AR incorrectly learns private routes. The outbound interface of the route to the destination private network is not the public network interface with enabled IPSec.

Scroll to top