An engineer has successfully established a phase 1 tunnel, but notices that no packets are decrypted on the head end side of the tunnel.
What is a potential cause for this issue?
A. different phase 2 encryption
B. misconfigured DH group
C. disabled PFS
D. firewall blocking Phase 2 ESP or AH
Phase 2 negotiation NEEDS to be completed to send encrypted traffic. If phase 2 would not complete you’d be seeing send errors on egress in IPsec SA counters.
It’s D the correct answer.