VPN between ASA and Draytek - with vpn-filter

gammatel1 · ‎01-07-2010

I have successfully established an IPSEC VPN between an ASA and a customers Draytek - the Draytek is using its Public IP for both the VPN Endpoint and for Nat'ing internal traffic over the VPN. If I apply a vpn-filter statement to the ASA configuration (using group-policies) - the VPN still establishes to Phase2 - but no packets are decrypted/decapsulated from the customer.

I wondering if its because the customer is using his Public IP for both the VPN endpoint and for nat'ing...any thoughts...

yamramos.tueme · ‎01-07-2010

Have you checked if you are encrytping packets on your end? It could be that your end is not sending traffic.

gammatel1 · ‎01-08-2010

There are no packets being encaps or encrypted - but the customer initiates the VPN connection and data stream and I dont see any packets being decapsulated or decrypted. The vpn-filter ACL is applied to traffic once it is decapsulated and decrypted - but since there are not packets being received (out of the VPN) the vpn-filter ACL is not seeing any hits. Removing the vpn-filter ACL and group-policy means that the packets flow correctly over the VPN ie: packets are decaps/encaps and decrypt/encrypt correctly.

I have a load more VPNs using vpn-filters that work perfectly - but this VPN is the only one where the customer uses the same IP for both the VPN tunnel endpoint and for NATing his traffic over the VPN.