Router A can not establish a standard IPsec VPN tunnel with router B. An analysis reveals one or more NAT points in the delivery path of each IPsec packet being sent to router B. What is the problem and what is the solution?
IPsec encrypts Layer 4 port information and IKE NAT transversal needs to be configured on this network.
The port number information in the ESP header is encrypted. Use ESP tunnel mode instead of transport mode.
Router A needs to decrypt the Layer 4 port information. Configure ESP protocol on router A.
NAT changes the source IP address of the packets so IPSEC ESP integrity check will fail. Use PAT instead of NAT.
Want to practice for 642-552 - SND - Securing Cisco Network Devices Exam ?