if we enable the private address, the client address will be a private address, so we will have to use the private address supplied by the SecGW as the ip’s for our filter. When we do back to back test against our Security Gateway simulator/node, if we just use 1 MN, the starting private address is 7.0.0.1. So, under the Advance IPSec Setting, use 7.0.0.1 for the initiator and then the Network Host address as the responder.
For the case both EAP and private address enabled, the initiator starting IP is not 7.0.0.1, it’s 0.0.0.1. It’s a little tricky here, our Security Gateway simulator/node, for EAP disabled cases, it assigns private address starting from 7.0.0.1; but for EAP enabled cases, it assigns address starting from 0.0.0.1. this is the logic hidden in the behind.
Please note that if you want to use traffic selector, make sure the Starting IP/Ending IP in Initiator side consist with the private address pool assigned by customer’s Sec GW. If the address doesn't match, you will see the data traffic unencrypted issue.