IPSec is unavailable when both IPSec and NAT are configured on an interface of the AR

If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device executes the NAT configuration first. Use either of the following methods:
-Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec.
- Ensure that the ACL rule referenced by IPSec matches the NAT-translated IP address.

Note:
After the deny rule is defined, you are advised to run the reset session all or reset nat session all command to reestablish the flow table, ensuring that there are no incorrect NAT entries.
If services are transmitted unidirectionally, check whether the NAT policy is applied to the device. If so, perform operations according to the preceding method.

Scroll to top