Re: trying to setup a PIX-Draytek VPN

huwyhuwy123 · ‎03-15-2011

hi there,

I'm trying to setup a VPN between a PIX and a Draytek. I've managed to get the tunnels to form but no traffic seems to be going down them. I'm guessing there's an error with NAT or an access list??

I notice in the PIX under IPSEC rules it says "incomplete" - please see the attached screenshot.

I have attached screenshots and a cleansed copy of the PIX config.

Can anyone help me with this? TIA,

Huw

Jennifer Halim · ‎03-15-2011

Base on the configuration on the PIX, I am confused how your topology is supposed to be.

Can you please advise the following:

1) What is Draytek LAN subnet?

2) On the PIX, I assume that you plan to terminate the VPN on the PIX outside interface? but your configuration looks like you are terminating it on the inside interface instead.

crypto map inside_map 20 match address inside_cryptomap_20
crypto map inside_map 20 set peer XXXXXXXX
crypto map inside_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map 40 match address inside_cryptomap_40
crypto map inside_map 40 set peer XXXXXXXX
crypto map inside_map 40 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside

and you already have existing crypto map applied to the outside. If you are supposed to be terminating it on the outside, just add them to the existing crypto map that is applied on the outside:

crypto map Thomas 1 match address inside_cryptomap_20
crypto map Thomas 1 set peer XXXXXXXX
crypto map Thomas 1 set transform-set ESP-3DES-SHA
crypto map Thomas 2 match address inside_cryptomap_40
crypto map Thomas 2 set peer XXXXXXXX
crypto map Thomas 2 set transform-set ESP-3DES-SHA

3) Your NAT exemption statement is incorrect, you would need to remove the following:

nat (inside) 0 access-list inside_nat0_inbound outside

and add the NAT exemption ACL to the existing nonat ACL. Assuming that the VPN is supposed to be terminated on the PIX outside interface, and Draytek LAN is either 10.0.0.0/24 or 20.0.0.0/24, then you should add the following:

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 20.0.0.0 255.255.255.0

4) Lastly, to check if the VPN is up or down, you can get the output of:

show cry isa sa

show cry ipsec sa

and you have to send traffic between 192.168.0.0/16 and (10.0.0.0/24 or 20.0.0.0/24) or vice versa to bring the tunnel up.

huwyhuwy123 · ‎03-16-2011

Thanks a lot for your help Jennifer.

The Draytek LAN is 20.0.0.0/24

I will try setting up the VPN to terminate on the outside interface and let you know if it works.

-H

huwyhuwy123 · ‎03-17-2011

hi there,

I've re-ran through the VPN wizard choosing to terminate the VPN on the external (rather than internal) interface. I have attached an updated config

The end result is the same. The tunnel appears to form but no traffic is send over it.

Should I add the NAT and NAT exemption commands you talked about above? I;m just being cautious as the PIX is in a remote site and I don;t want to get locked out.

Thanks again for your help,

-H

huwyhuwy123 · ‎03-17-2011

Just to let you know I have fixed this. The last problem was down to an incorrect subnet mask. Thanks fo your help.

-H

Jennifer Halim · ‎03-17-2011

Great, thanks for the update.

Pls kindly mark the post answered so others can learn from your post.