I have setup a Vigor 2820Vn to PIX VPN. The VPN is running okay and passing traffic.
The PIX is the hub and has the following networks 172.16.0.0/12 and 10.0.0.0/8. The Vigor is setup as the spoke with 172.30.16.0/24. I can route traffic between 172.16.0.0/12 and 172.30.16.0/24. I can not however get it to pass traffic to 10.0.0.0/8 networks.
I have defined 10.0.0.0/8 under more networks. This however does not work as the Cisco only registers the 172.16.0/12 to allow traffic from.
If I only use a single WAN interface and set the default route 0.0.0.0/0 to the VPN, all traffic will travell through the VPN, but I then can’t send my internet traffic directly out the WAN interface.
The pix gives me the following error:
%ASA-4-402116: IPsec: Received an protocol packet (SPI=spi, sequence
number=seq_num) from remote_IP (username) to local_IP. The decapsulated inner
packet doesn’t match the negotiated policy in the SA. The packet specifies its
destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot.
The SA specifies its local proxy as id_daddr/id_dmask/id_dprot/id_dport and its
remote proxy as id_saddr/id_smask/id_sprot/id_sport.
I have checked draytek sites and many other forums. It seems to be a common problem. Some of these links make refrence to the issue:
I have tried many different variations and static routes. I however have not been able to route the two subnets down the vpn and all other traffic directly out to the internet.
Are you aware of this issue and if so is there a fix or work around?
You must use the multiple SA function and create a vpn connection for respective network pair. In your case, you must create two vpn profiles in the 2820. One for 172.30.16.0/24 and 172.16.0.0/12, the other for 172.30.16.0/24 and 10.0.0.0/8. Make sure both vpn profiles use the same preshared key setup.