What Is the Requirement for Private IP Addresses Used by Branch Users for Dial-Up in an L2TP Over IPSec Scenario?
When L2TP packets are encrypted through IPSec and traverse the NAT device, the NAT device performs NAT only for encrypted packets. After the packets reach the headquarters, the firewall decrypts and processes them. The source IP address of such an L2TP packet is the private IP address of the branch. If the private IP addresses of the branch and the headquarters are on the same network segment, L2TP reply packets from the firewall are sent to the intranet based on a specific route, instead of being encrypted and sent to the extranet. As a result, the dial-up fails. Therefore, the private IP addresses of the branch must be on different network segments from the headquarters network.