Drop Code 338(Octeon Decryption Failed for inbound packet): Site to Site IPSec VPN
03/26/2020 28 12908
Drop Code 338(Octeon Decryption Failed for inbound packet): Site to Site IPSec VPN no traffic between SNWL firewall and Mikrotik device.
Site to Site IPSec VPN was set up between SonicWall and Mikrotik. On SonicWall there are multiple VLANs created under X0 and X3 with different zones of trusted type:
172.16.15.0/255.255.255.0 VLAN 15 (VPNinternal)
172.16.255.0/255.255.255.0 VLAN 20 (admin/mgmt)
172.16.100.0/255.255.255.0 VLAN 100 (voice)
172.16.8.0/255.255.255.0 VLAN 11 (pc/printer)
172.16.0.0/255.255.255.0 VLAN 12 (servers)
When set VPN Source as 172.16.0.0/16 (as LAN) and changed the zones to LAN, everything works fine. However, when created an address group for all 5 VLAN networks, then SonicWall dropped reply packet as Octeon Decryption failed. Checked the configuration on SonicWall and it looks correct.
In this case the issue is due to the setting of the option Level under IP | IPsec | Policy in Mikrotik device. It should be unique rather than require which is by default.
The Level options specified as below:
|level (require | unique | use; Default:require)||Specifies what to do if some of the SAs for this policy cannot be found:|
- use - skip this transform, do not drop packet and do not acquire SA from IKE daemon
- require - drop packet and acquire SA
- unique - drop packet and acquire a unique SA that is only used with this particular policy
So make sure you set level of the IPsec Policy to 'unique' for each subnet in Mikrotik device if you create an address group object on far end SonicWall.