A network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?
Trap 1: The crypto map is not applied to the tunnel interface.
Incorrect because the crypto map should be applied to the physical outside interface, not the tunnel interface.
Trap 2: The IPsec transform set is missing the esp-aes encryption algorithm.
Incorrect because the transform set configuration is for the encryption and authentication algorithms; a missing algorithm would cause phase 2 negotiation failure, but the tunnel is up.
Trap 3: The IKE phase 1 proposal is mismatched between the two routers.
Incorrect because if IKE phase 1 were mismatched, the tunnel would not come up at all.
- A
The crypto map is not applied to the tunnel interface.
Why wrong: Incorrect because the crypto map should be applied to the physical outside interface, not the tunnel interface.
- B
The access list in the crypto map does not match the LAN-to-LAN traffic.
Correct because the crypto map uses an access list to define which traffic is encrypted; if it does not match the actual LAN subnets, traffic will be sent unencrypted and may be dropped by the remote router.
- C
The IPsec transform set is missing the esp-aes encryption algorithm.
Why wrong: Incorrect because the transform set configuration is for the encryption and authentication algorithms; a missing algorithm would cause phase 2 negotiation failure, but the tunnel is up.
- D
The IKE phase 1 proposal is mismatched between the two routers.
Why wrong: Incorrect because if IKE phase 1 were mismatched, the tunnel would not come up at all.