Hi All,

I have a customer who has a site to site IPSec VPN which requires all local PC's on the remote site to use a specified virtual IP to access the PC's at the host end, which uses a Cisco setup.

So local network of 192.10.10.x/28 must all map to 100.97.4.224/29 to use the tunnel when connecting to remote network 100.97.2.0/28

Now this has always been hard work getting a Draytek to do this. Once "IPSec VPN with the same subnets" is ticked, I've tried "Whole subnet" for the translated type with no luck, so normally have to settle for "Specific IP address", then have to enter all local IP's up to the limit of 29 as virtual IP mappings such as 192.10.10.1 to 100.97.4.224 or 192.10.10.2 to 100.97.4.224

The only way this seems to work is before I exit that screen, I need to change the "Translated to" section for "LAN1" to 100.97.2.224 as it normally shows 100.97.2.0, even when saved.

The host see this error, showing that my traffic is trying to come in on 100.97.4.0 instead of the 100.97.4.224 it needs. Any ideas please folks?
( I've hidden the first octets of the Wan IP's )

Local:x.66.10.36:4500 Remote:x.148.211.71:4500 Username:x.148.211.71 IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 100.97.4.0/100.97.4.255/0/65535/0 local traffic selector 100.97.2.0/100.97.2.15/0/65535/0!

Marcusd wrote:
I have a customer who has a site to site IPSec VPN which requires all local PC's on the remote site to use a specified virtual IP to access the PC's at the host end, which uses a Cisco setup.

See: https://www.draytek.com/support/knowledge-base/4300

Draytek wrote:
Vigor Router supports applying NAT to traffic in a LAN-to-LAN IPsec VPN, so that the remote network will only see traffic from a single IP address.

I've always wondered about that "Create multiple Phase 2 SA" option, but at https://www.draytek.com/support/knowledge-base/5428 , they say:-

Draytek wrote: Multiple SA is for connecting to a non-DrayTek VPN server with multiple subnets.

Which might be required as well?