S2S VPN - Cisco Firepower to Draytek 2620

jamesupcott1 · ‎04-15-2020

Hi All

I am trying to establish a S2S vpn between Cisco FTD and Draytek. The Draytek has a dynamic public IP, and the Cisco FTD static. I can see phase 1 establish, however no joy with phase 2. I think it may be a NAT traversal issue, however I am a little stuck now.

show commands below (I have obscured public IPs):

Apr 15 10:21:45 [IKEv1 DEBUG]IP = 192.168.10.10, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 5
Apr 15 10:21:45 [IKEv1 DEBUG]IP = 192.168.10.10, constructing ISAKMP SA payload
Apr 15 10:21:45 [IKEv1 DEBUG]IP = 192.168.10.10, constructing NAT-Traversal VID ver RFC payload
Apr 15 10:21:45 [IKEv1 DEBUG]IP = 192.168.10.10, constructing Fragmentation VID + extended capabilities payload
Apr 15 10:21:45 [IKEv1]IP = 192.168.10.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 15 10:21:48 [IKEv1]IKE Receiver: Packet received on 2.2.2.2:500 from 192.168.10.10:55095
Apr 15 10:21:48 [IKEv1]IP = 192.168.10.10, Duplicate first packet detected. Ignoring packet.
noApr 15 10:21:53 [IKEv1]IP = 192.168.10.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 15 10:21:53 [IKEv1]IP = 192.168.10.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 15 10:21:54 [IKEv1]IKE Receiver: Packet received on 2.2.2.2:500 from 192.168.10.10:55095
Apr 15 10:21:54 [IKEv1]IP = 192.168.10.10, Duplicate first packet detected. Ignoring packet.

AND.............

1 IKE Peer: 192.168.10.10
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
2 IKE Peer: 192.168.10.10
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3

Any help/suggestions would be appreciated?

Regards

James