Hi,

I have a gateway with several VPN's on.  Some via the Internet, and some routed internally via MPLS lines.  These all work fine.  Now I'm trying to set up a new site-to-site VPN and it isn't working.  

Here's what I'm trying to do:

So my peer IP is a DMZ interface - 12.12.12.178.

I'm VPNing to remote peer IP 192.168.145.10.

On the firewall I'm routing 192.168.145.0/24 via 12.12.12.224.

Firewall-A> show route destination 192.168.145.10
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive

S 192.168.145.0/24 via 12.12.12.224, eth2.105, cost 0, age 279519

I have an existing VPN set up in the same way via a different DMZ interface and that works fine - although I'm reminded that we had exactly the same problem when setting that up, and I fixed it on my side.  I just can't remember what I did to fix it, hence asking for help! 

The problem is that the remote side is seeing me coming from the gateway's public "main IP" - shown as A.A.A.A on the diagram.  In Ikeview I see IP's 192.168.145.10 and 12.12.12.178 in packets 1 to 5, then in packet 6 I'm sending my public A.A.A.A IP to the remote peer.  I don't understand why?

On my gateway I've got VPN link selection set as follows, using the routing table, which is correct.

I can't really alter this otherwise existing VPN's will stop working.

Does anyone know what else I need to do to stop P1 Packet 6 sending my A.A.A.A IP instead of the correct 12.12.12.178 IP?

Thanks,

Matt