A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Site B configuration:
To ensure the IPSec tunnel configuration works, the IKE version must match on both the Site A and Site B firewalls. Mismatched IKE versions can prevent the tunnel from being established as they need to use the same protocol for communication. Additionally, since Site A uses a DHCP assigned address, it needs to initiate the IKE negotiation. This requires passive mode to be disabled on Site A, allowing it to actively start the negotiation process. Hence, changing the IKE version to match on both firewalls and disabling passive mode on Site A are crucial adjustments for a successful configuration.
A. IKE version have to match D. Site A cannot be passive, else it wont initiate the IKE negociation. Site B cannot initiate it as it does not know the IP address of Site A.
A - obvious, you need to have possibility to negotiate the same IKEversion B - not necessary, couse "If you don’t specify a value, the gateway will use the local IP address as the Local Identification value." C - not connected with screenshots; D - "Peer IP Address Type - Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation."