I have setup a Vigor 2820Vn to PIX VPN. The VPN is running okay and passing traffic.

The PIX is the hub and has the following networks and The Vigor is setup as the spoke with I can route traffic between and I can not however get it to pass traffic to networks.

I have defined under more networks. This however does not work as the Cisco only registers the 172.16.0/12 to allow traffic from.

If I only use a single WAN interface and set the default route to the VPN, all traffic will travell through the VPN, but I then can’t send my internet traffic directly out the WAN interface.

The pix gives me the following error:

%ASA-4-402116: IPsec: Received an protocol packet (SPI=spi, sequence
number=seq_num) from remote_IP (username) to local_IP. The decapsulated inner
packet doesn’t match the negotiated policy in the SA. The packet specifies its
destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot.
The SA specifies its local proxy as id_daddr/id_dmask/id_dprot/id_dport and its
remote proxy as id_saddr/id_smask/id_sprot/id_sport.

I have checked draytek sites and many other forums. It seems to be a common problem. Some of these links make refrence to the issue:

I have tried many different variations and static routes. I however have not been able to route the two subnets down the vpn and all other traffic directly out to the internet.

Are you aware of this issue and if so is there a fix or work around?


You must use the multiple SA function and create a vpn connection for respective network pair. In your case, you must create two vpn profiles in the 2820. One for and, the other for and Make sure both vpn profiles use the same preshared key setup.