cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1227
Views
15
Helpful
10
Replies

Cisco 881 VPN Help

sjsteve33171
Level 1
Level 1

Hi All,

I'm not cisco trained nor ever worked with cisco, im a complete newbie when it comes to Cisco platforms. We are a IT Support MSP and we've recently taken on a customer who has an office abroad using a Cisco 881 device with a Draytek router in the UK. Site to site connectivity is required. I've looked around and watched some youtube videos on how to setup the VPN and believe i have this in place using the below config on the cisco:

 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ******** address *******
!
crypto ipsec transform-set sha3des esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
 set peer **********
 set transform-set sha3des
 set pfs group2
 match address UK

!

interface FastEthernet4
 ip address <WAN IP> <WAN SUBNET>
 ip access-group netbios in
 ip access-group netbios out
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map VPN

!
interface Vlan1
 ip address <WAN IP 2> <WAN SUBNET> secondary
 ip address <LAN IP> 255.255.255.0
 ip access-group netbios in
 ip access-group netbios out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache cef
 no ip route-cache
!

ip access-list extended UK
 permit ip <LOCAL LAN> 0.0.0.255 <REMOTE LAN> 0.0.0.255
 permit ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

 

The VPN shows it up and active but there is no traffic flow between the two and i have no idea why...

 

Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: <REMOTE WAN> port 500
  IKEv1 SA: local <LOCAL WAN>/500 remote <REMOTE WAN>/500 Active
  IPSEC FLOW: permit ip <REMOTE LAN>/255.255.255.0 <LOCAL LAN>/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip <LOCAL LAN>/255.255.255.0 <REMOTE LAN>/255.255.255.0
        Active SAs: 2, origin: crypto map

 

So it all looks fine, however if i try and ping the remote sites router over the remote LAN ip i get the following:

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <REMOTE IP>, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

I also cannot ping from remote site into the Cisco lan.

 

I believe this is down to the cisco end, the Draytek is a basic router and no routing is able to be configured. It does it automatically. So the VPN is up, no traffic flow..

 

Please can someone point me in the right directoin?

 

Thank You

1 Accepted Solution