Problems on VPN between ASA 5520 and Draytek 2925

codflanglers · ‎03-11-2015

I have set up a site to site VPN between an ASA 5520 and a Draytek 2925. The VPN is up, but the cisco is complaining

IPSEC: Received an ESP packet (SPI= 0x98128CD3, sequence number= 0x298) from <remote peer> (user= <peer IP>) to <local IP>. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 255.255.255.255, its source as <remote lan IP>, and its protocol as 17. The SA specifies its local proxy as <local IP range object> and its remote_proxy as <remote lan range object>.

In this case the remote lan IP the packet is coming from is in the remote lan range object network.

On the draytek I have a static route that points anything destined for the ASA local lan range through the vpn tunnel. Everything else goes out to the Internet. Internet is working OK.

Any ideas?

If it helps, this vpn will replace an existing vpn to the ASA which is working just fine. On the ASA the remote peer and remote lan ip range are included in any rules that the existing vpn is running on so routes, nat, acl should be OK.

Oseias Paes Goncalves · ‎07-24-2017

Hi codflanglers, did you had any success troubleshooting this? I have the same problem now, but I do not have control of the remote side (the draytec).