Hello,

I have a 3030 series concentrator, with three interfaces.

"Ethernet 1 (Private)" faces our internal network. It's IP is 10.1.1.1 (of course IPs have been changed to protect the innocent).

"Ethernet 2 (Public)" faces the Internet. It's IP is 70.70.1.1.

"Ethernet 3 (External)" faces our company WAN. It's IP is 192.168.1.1.

For routing, our default route points out Ethernet2 towards the Internet, and we have static routes facing inside and to our WAN.

Most of our Lan to Lan VPNs are built over the Internet, and work fine. However, we have some sites that we want to VPN with, over our WAN.

So for Ethernet3, we modified it to be a Public Interface (by selecting the checkbox), applied the Public (Default) filter, and added static routes for our partner VPN devices.

However, we cannot initiate the VPN. We've setup a network sniffer, and found the problem.

Let's say our remote VPN endpoint is 192.168.3.3. And we have a static route out Ethernet3 for that.

During IKE phase1, the conversation is correctly between and 192.168.1.1 and 192.168.3.3. However, once ESP starts, the source of the packets becomes 70.70.1.1.

That public IP (70.70.1.1) is of course not routable on our WAN. So we never get any reply packets from our remote VPN peer (192.168.3.3).

Here's a more detailed packet trace...

192.168.1.1 192.168.3.3 ISAKMP Identity Protection (Main Mode)

192.168.1.1 192.168.3.3 ISAKMP Identity Protection (Main Mode)

192.168.1.1 192.168.3.3 ISAKMP Identity Protection (Main Mode)

192.168.1.1 192.168.3.3 ISAKMP Quick Mode

192.168.1.1 192.168.3.3 ISAKMP Quick Mode

70.70.1.1 192.168.3.3 ESP ESP (SPI=0x2eb63db6)

70.70.1.1 192.168.3.3 ESP ESP (SPI=0x2eb63db6)

70.70.1.1 192.168.3.3 ESP ESP (SPI=0x2eb63db6)

70.70.1.1 192.168.3.3 ESP ESP (SPI=0x2eb63db6)

What could be making the VPN Concentrator switch what IP it sources the packets from?

Thanks!

Bill