03-27-2012 02:05 PM
Hi,
I've recently installed a Cisco ASA with a NAT'd configuration, I'm in the final stages and would like to configure a lan to lan VPN to a Draytek box and that unfortunately isn't going well and having spent almost two days on it am starting to wonder if it will actually work. I can get it to connect but no data seems to be transmitted between the two.
Site A on the range 10.0.0.0 has the ASA and Site B is on the 192.168.16.0 and is a Draytek 2930.
Below is the ASA config created with the lan to lan wizard:
route outside 0.0.0.0 0.0.0.0 193.164.x
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 176.35.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 176.35.x
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal 3DES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 130.88.203.12 source outside prefer
webvpn
group-policy GroupPolicy_176.35.x internal
group-policy GroupPolicy_176.35.x attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 176.35.x type ipsec-l2l
tunnel-group 176.35.x general-attributes
default-group-policy GroupPolicy_176.35.x
tunnel-group 176.35.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
The 2960 is set to 3DES with Authentication.
What the stats says is below, so there is obviously an error somewhere.
access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.16.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/
0)
remote ident (addr/mask/prot/port): (192.168.16.0/255.255.255.
0/0/0)
current_peer: 176.35.112.38
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 24
Here is the debug log, doesn't look like anything obvious there?
IPSEC: New embryonic SA created @ 0x748f8a30, SCB: 0x72FD2F28, Direction: inbound SPI : 0x13A56ABA Session ID: 0x0006E000 VPIF num : 0x00000002 Tunnel type: l2l Protocol : esp Lifetime : 240 seconds IPSEC: New embryonic SA created @ 0x748b6de0, SCB: 0x746FD8E8, Direction: outbound SPI : 0x678FA4E0 Session ID: 0x0006E000 VPIF num : 0x00000002 Tunnel type: l2l Protocol : esp Lifetime : 240 seconds IPSEC: Completed host OBSA update, SPI 0x678FA4E0 IPSEC: Creating outbound VPN context, SPI 0x678FA4E0 Flags: 0x00000005 SA : 0x748b6de0 SPI : 0x678FA4E0 MTU : 1500 bytes VCID : 0x00000000 Peer : 0x00000000 SCB : 0x5FA611AF Channel: 0x6deb45c0 IPSEC: Completed outbound VPN context, SPI 0x678FA4E0 VPN handle: 0x0009a664 IPSEC: New outbound encrypt rule, SPI 0x678FA4E0 Src addr: 10.0.0.0 Src mask: 255.255.255.0 Dst addr: 192.168.16.0 Dst mask: 255.255.255.0 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 0 Use protocol: false SPI: 0x00000000 Use SPI: false IPSEC: Completed outbound encrypt rule, SPI 0x678FA4E0 Rule ID: 0x746ffec0 IPSEC: New outbound permit rule, SPI 0x678FA4E0 Src addr: 193.164.206.198 Src mask: 255.255.255.255 Dst addr: 176.35.112.38 Dst mask: 255.255.255.255 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 50 Use protocol: true SPI: 0x678FA4E0 Use SPI: true IPSEC: Completed outbound permit rule, SPI 0x678FA4E0 Rule ID: 0x7374bbe0 IPSEC: Completed host IBSA update, SPI 0x13A56ABA IPSEC: Creating inbound VPN context, SPI 0x13A56ABA Flags: 0x00000006 SA : 0x748f8a30 SPI : 0x13A56ABA MTU : 0 bytes VCID : 0x00000000 Peer : 0x0009A664 SCB : 0x5FA5C58F Channel: 0x6deb45c0 IPSEC: Completed inbound VPN context, SPI 0x13A56ABA VPN handle: 0x0009d7c4 IPSEC: Updating outbound VPN context 0x0009A664, SPI 0x678FA4E0 Flags: 0x00000005 SA : 0x748b6de0 SPI : 0x678FA4E0 MTU : 1500 bytes VCID : 0x00000000 Peer : 0x0009D7C4 SCB : 0x5FA611AF Channel: 0x6deb45c0 IPSEC: Completed outbound VPN context, SPI 0x678FA4E0 VPN handle: 0x0009a664 IPSEC: Completed outbound inner rule, SPI 0x678FA4E0 Rule ID: 0x746ffec0 IPSEC: Completed outbound outer SPD rule, SPI 0x678FA4E0 Rule ID: 0x7374bbe0 IPSEC: New inbound tunnel flow rule, SPI 0x13A56ABA Src addr: 192.168.16.0 Src mask: 255.255.255.0 Dst addr: 10.0.0.0 Dst mask: 255.255.255.0 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 0 Use protocol: false SPI: 0x00000000 Use SPI: false IPSEC: Completed inbound tunnel flow rule, SPI 0x13A56ABA Rule ID: 0x7489e718 IPSEC: New inbound decrypt rule, SPI 0x13A56ABA Src addr: 176.35.112.38 Src mask: 255.255.255.255 Dst addr: 193.164.206.198 Dst mask: 255.255.255.255 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 50 Use protocol: true SPI: 0x13A56ABA Use SPI: true IPSEC: Completed inbound decrypt rule, SPI 0x13A56ABA Rule ID: 0x748f6a78 IPSEC: New inbound permit rule, SPI 0x13A56ABA Src addr: 176.35.x Src mask: 255.255.255.255 Dst addr: 193.164.x Dst mask: 255.255.255.255 Src ports Upper: 0 Lower: 0 Op : ignore Dst ports Upper: 0 Lower: 0 Op : ignore Protocol: 50 Use protocol: true SPI: 0x13A56ABA Use SPI: true IPSEC: Completed inbound permit rule, SPI 0x13A56ABA Rule ID: 0x748f6b10
Do I need to add a route for 192.168.16.0 ?
Any help would be greatly appreciated.
Thanks,
1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152:
06-03-2012 04:17 PM
Hey Dominic,
Good news is that Draytek 2820, 2830's etc to Cisco ASA does work!!! I have about 15 of them connecting to a ASA 5510.
Sad news is that I am a GUI person so I am not sure what config to send you
I would be happy to share the configs... let me know if you were successful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide