Solved: VPN from cisco 877 to draytek 2600 help

Ga22at1709 · ‎07-13-2011

Firstly i would like to apologise for my complete lack of cisco knowledge, i have had the problem of replacing our draytek routers dumped in my lap

Here`s the background

I have a cisco 877 router connected to our adsl broadband at our head office. I have managed to set this up with Nat and DHCP all working to let multiple users access the internet through our single static ip supplied by the ISP lets say the ip is 1.2.3.4.

Our internal network is 192.168.1.0 255.255.255.0

I have a draytek vigor 2600 at a branch office set up the same with a static ip addresss supplied by the ISP lets say the ip is 5.6.7.8.

The internal network is 192.168.4.0 255.255.255.0

Here`s the problem (apart from me)

I am trying to set up a VPN between the head office and branch office so the branch office users can connect to our internal server(lets say ip is 192.168.1.2) to receive group policies,access files and also telnet into our database server(lets say ip is 192.168.1.3).

I have attached a sort of running config that i have pieced together from bits i have read on this site and others. I have tried these settings and other permutations of these settings but i cant seem to establish a tunnel even though when i show int tunnel0 on the router it says tunnel is up and line protocol is up, if i show ip route it shows that there is an ip address for the tunnel and that is about it(No vpn light on).

Could someone please take a look at the file and see if it makes sense and that i have entered the right information.I have highlighted the parts i am not sure about in red(Quite a bit and obviously not the exact settings but what i think it should be).

And

Once all the settings are correct on the cisco will it automatically establish the vpn or do i have to dial it from the draytek.

praprama · ‎07-25-2011

HI,

Can you enable "debug cry isa" and "debug cry ips" and post it ehre. Seems like either the crypto acl, transform set or pfs settings could be mismatched. Ensure all phase 2 parameters are matching at both ends.

Regards,

Prapanch

View solution in original post

Ga22at1709 · ‎07-15-2011

Ok i have got the tunnel trying to establish but it keeps failing on phase 2. I have the following two lines in the debug crypto isakmp log :

*Jul 12 17:54:16.088: ISAKMP:(1013): IPSec policy invalidated proposal

*Jul 12 17:54:16.088: ISAKMP:(1013): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)

Can anybody tell me what this means

Thanks

Gareth

praprama · ‎07-25-2011

HI,

Can you enable "debug cry isa" and "debug cry ips" and post it ehre. Seems like either the crypto acl, transform set or pfs settings could be mismatched. Ensure all phase 2 parameters are matching at both ends.

Regards,

Prapanch

Ga22at1709 · ‎08-03-2011

Finally got the vpn working with the following config :

Current configuration : 4866 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret (My Password)

!

no aaa new-model

!

resource policy

!

ip subnet-zero

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool DHCP1

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server (Isp dns server addresses)

domain-name (My Domain.com)

!

ip name-server (ISP name server 1)

ip name-server (ISP name server 2)

!

username (My Username) password (My Password)

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 10

encr 3des

authentication pre-share

lifetime 3600

crypto isakmp key (Pre-share Key) address (Outside ip address of remote router)no-xauth

!

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

!

crypto dynamic-map dm 1

reverse-route

!

crypto map clientmap 1 ipsec-isakmp

set peer (Outside ip address of remote router)

set transform-set vpn

match address 100

reverse-route

!

interface Loopback0

no ip address

!

interface ATM0

no ip address

no ip redirects

ip virtual-reassembly

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

no cdp enable

!

interface Virtual-Template1

mtu 1300

ip unnumbered Loopback0

ip nat outside

ip virtual-reassembly

!

interface Virtual-Template3

no ip address

!

interface Virtual-Dot11Radio3

no ip address

!

interface Virtual-PPP3

no ip address

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip mtu 1452

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1448

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname (ISP username)

ppp chap password (ISP Password)

crypto map clientmap

!

router rip

version 2

network 192.168.1.0

network 192.168.4.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.1.0 255.255.255.0 Dialer0

!

ip http server

ip http secure-server

ip nat pool Nat1 192.168.1.0 192.168.2.0 netmask 0.0.0.255

ip nat inside source list 101 interface Dialer0 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip any any

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

praprama · ‎08-03-2011

Hey,

Glad to know that! And thanks for posting the working configs.

Cheers,

Prapanch