Which of the following can be done to resolve this problem?




After implementing the IKEv2 tunnel, it was observed that remote users on the
192.168.33.0/24 network are unable to access the internet. Which of the following can be
done to resolve this problem?




After implementing the IKEv2 tunnel, it was observed that remote users on the
192.168.33.0/24 network are unable to access the internet. Which of the following can be
done to resolve this problem?

A.
Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto
map

B.
Change the remote traffic selector on the remote ASA to 192.168.22.0/24

C.
Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static
peers

D.
Change the local traffic selector on the headquarter ASA to 0.0.0.0/0

E.
Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0

Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the
IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the
tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from
192.168.33.0/24 to 192.168.22.0/24.



Leave a Reply 1

Your email address will not be published. Required fields are marked *


MindTheGap

MindTheGap

Correct answer is D

Scenario says all traffic from the remote site including internet traffic must transit through HQ. Since the remote firewall is already set to encrypt all traffic (0.0.0.0/0) the local HQ traffic must also be set to 0.0.0.0/0. With this returning internet traffic is encrypted as well as HQ local traffic to remote site.