VPN tunnel is up but remote LAN is not reachable

Publication Date:  2014-04-13 Views:  373 Downloads:  0
Issue Description
The Tunnel is up but remote LAN is not reachable.

The scenario is IPsec VPN site to site ,, both sites are PPPoE with DynDNS.

Site 1 : DXB
Local LAN : 192.168.2.0/24
Remote LAN : 192.168.0.0/24
DynDNS domain : adcdxb.dyndns-home.com

Site 2 : AUH
Local LAN : 192.168.0.0/24
Remote LAN : 192.168.2.0/24
DynDNS domain : adcauh.dyndns.org
Alarm Information
none
Handling Process
check the configuration on pppoe port

interface Dialer0
link-protocol ppp
ppp chap user advdent
ppp chap password cipher %$%$q{I&S1A+xUA0l1Tc~(.NU:1(%$%$
ppp pap local-user advdent password cipher %$%$2xlC1B`zkX-gBBW2Sa:.U0'{%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user advdent
dialer-group 10
dialer bundle 1
ipsec policy map1 auto-neg
ddns apply policy abc
service-manage enable
service-manage https permit
service-manage ping permit
service-manage ssh permit
nat enable    // this is unwanted, the nat-policy is configuration between the interzone. Please delete it.
detect ftp

The both  sides firewalls (FW-DXB and FW-AUH) have the above incorrect configuration (under interface Dialer0 have “ nat enable “)

delete "nat enable" command on the ports from both sides . remote LAN communciation is no problems , ipsec become working fine.

Root Cause
root cause of this issue is the  interface source NAT configuration( the command “nat enable” under the interface). this command will due to the traffic be NAT, and then mismatch the IPsec acl. It is unwanted. "nat enable" configuration caused the traffice enter nat instead of ipsec tunnel .
Suggestions
when we configure ipsec with nat together on some interface , pay attention that don't configure "nat enable" command under the port , otherwise , the related flow will enter nat instead of ipsec tunnel , which caused ipsec flow can't be forwarded correctly .

END