A network technician is setting up a remote access VPN for employees using IPsec. The company's firewall is configured to allow IPsec traffic. Employees report that they can successfully establish the VPN connection (tunnel appears up), but they cannot ping or access any internal resources (e.g., file servers). The firewall logs show that packets from the VPN client IP addresses are being dropped at the firewall interface. Which of the following is the MOST likely cause of this issue?
The tunnel being up indicates IPsec negotiation succeeded, but the firewall still needs ACL to allow forwarded traffic.
Why this answer
The VPN tunnel is established, meaning Phase 1 and Phase 2 of IPsec are complete and the client has a valid IP from the pool. However, packets from the VPN subnet are being dropped at the firewall interface, which indicates that the firewall's access control list (ACL) does not include a permit statement for traffic sourced from the VPN client subnet destined to the internal network. Without this ACL entry, the firewall will drop the traffic even though the tunnel is up.
How to eliminate wrong answers
Option A is wrong because if the VPN client were not assigned a correct IP address from the pool, the tunnel would not establish successfully (the client would fail Phase 2 or not receive a usable IP), and the logs would show authentication or address assignment failures, not dropped packets at the firewall interface. Option C is wrong because an intrusion prevention system (IPS) typically blocks traffic based on signatures or anomalies, not by default for all traffic from a VPN subnet; the logs would show IPS alerts, not simple drops at the interface. Option D is wrong because if the IPsec encryption algorithm were incompatible, the tunnel would fail to establish (Phase 2 would fail), and the VPN connection would not appear up.