You are responsible for bringing up an IPsec tunnel between two Cisco IOS routers in Site A and Site B, and, at the same time, allowing them to access to the Internet from their local sites. You applied these configurations to the routers:
You issue the show crypto ipsec sa command and see that tunnel is up, but no packets are encrypted or decrypted on either side. To test connectivity, you sourced a ping from the private interface of the each router, destined to the private interface of the far-end router. You ask a VPN expert to help you trouble shoot. The expert has verified that ESP is not being blocked, and the routing is correct.
After troubleshooting, the expert makes which of these determinations?
A.
The problem is with the encryption ACL. As you were testing with ICMP, you needed to allow ICMP in both encryption ACLs.
Router 1: permit ICMP 192.168.1.0.0.0.0.255.192.168.2.0.0.0.0.255 Router 2: permit ICMP 192.168.1.0.0.0.0.255.192.168.2.0.0.0.0.255
B.
The problem is with the NAT ACL. VPN traffic should be denied in the NAT ACL so that the ACL, looks likes the following.
Router 1:
Ip access list ext NAT
deny IP 192.168.1.0.0.0.0.255.192.168.2.0.0.0.0.255
permit ip 192.168.1.0 any
Router 2:
Ip access list ext NAT
deny IP 192.168.1.0.0.0.0.255.192.168.2.0.0.0.0.255
permit ip 192.168.1.0 any
C.
The problem is that is not possible to do NAT along with VPN on a Cisco IOS router.
D.
The problem is the NAT transparency is enabled. Disable NAT Transparency using the following global command on both routers. No crypto ipsec nat-transparency udp-encapsulation.