A security engineer is troubleshooting a site-to-site IPsec VPN between two firewalls. The tunnel status shows Phase 1 is up but Phase 2 is not. Which of the following is the most likely cause?
Trap 1: Incorrect pre-shared key
Incorrect pre-shared key would cause Phase 1 to fail, not Phase 2.
Trap 2: Mismatched authentication algorithm
Mismatched authentication algorithm would also cause Phase 1 to fail.
Trap 3: Firewall rule blocking IKE traffic
If IKE were blocked, Phase 1 would not establish.
- A
Incorrect pre-shared key
Why wrong: Incorrect pre-shared key would cause Phase 1 to fail, not Phase 2.
- B
Mismatched authentication algorithm
Why wrong: Mismatched authentication algorithm would also cause Phase 1 to fail.
- C
Firewall rule blocking IKE traffic
Why wrong: If IKE were blocked, Phase 1 would not establish.
- D
Mismatched proxy IDs (traffic selectors)
Proxy IDs define which traffic should be encrypted; if they don't match, Phase 2 fails.