Link to home
Start Free TrialLog in
Avatar of Richard Cooper
Richard CooperFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Site to Site Cisco 506e to Draytek 2800 using VPN ?

I have a client with two sites which were linked by a VPN using Cisco 506 pix's.
One of the pix boxes has failed but they have a spare Draytek 2800 router which has lan to lan VPN capabilities.
I have tried to set the Draytek up but I am unable to create the VPN link.
Is it possible to link site to site VPN using a cisco 506e and a draytek 2800 router?



ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Richard Cooper

ASKER

Hi,
 
 It's almost there using the instructions from the post above but I keep getting the following error on the pix everytime it tries to create the VPN Connection.

any more ideas?


ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): deleting SA: src xxx.xxx.xxx.xxx, dst xxx.xxx.xxx.xxx
ISADB: reaper checking SA 0xd44afc, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:xxx.xxx.xxx.xxx/500 Ref cnt decremented to:0 Total VPN P
eers:5
VPN Peer: ISAKMP: Deleted peer: ip:xxx.xxx.xxx.xxx/500 Total VPN peers:4
ISADB: reaper checking SA 0x100b0dc, conn_id = 0
ISADB: reaper checking SA 0x1009744, conn_id = 0
ISADB: reaper checking SA 0x1008abc, conn_id = 0
ISADB: reaper checking SA 0xd43b34, conn_id = 0
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:xxx.xxx.xxx.xxx spt:500 dpt:5
00
I just looked at that post's example PIX config and see at least one thing that is nonstandard.  Please post your PIX config so we can take a look...
Pix config: There used to be three connected pix boxes but now there are two pix and I am trying to connect a draytek to this pix using the access-list 130. The other pix to access-list 140 is working fine.

Please let me know if you spot anything.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname PIX
domain-name X.X
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list 100 permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 140 permit ip 192.168.0.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 130 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool client-pool 192.168.7.1-192.168.7.254
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 192.168.0.11 255.255.255.255 inside
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 outside
pdm location 192.168.12.0 255.255.255.0 outside
pdm location 192.168.13.0 255.255.255.0 outside
pdm location 192.168.4.0 255.255.255.0 outside
pdm location 192.168.0.7 255.255.255.255 inside
pdm location 192.168.0.18 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 XXX.XXX.XXX.XXX
nat (inside) 0 access-list 100
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XXX.XXX.XXX.XXX 192.168.0.7 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.XXX 192.168.0.1 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.XXX 192.168.0.6 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit icmp any any echo
conduit permit icmp any any echo-reply
conduit permit icmp any any time-exceeded
conduit permit icmp any any unreachable
conduit permit icmp any any source-quench
conduit permit tcp host XXX.XXX.XXX.XXX eq smtp any
conduit permit tcp host XXX.XXX.XXX.XXX  eq www any
conduit permit tcp host XXX.XXX.XXX.XXX  eq https any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX  1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dialup 20 set transform-set myset
crypto map both 10 ipsec-isakmp
crypto map both 10 match address 140
crypto map both 10 set peer XXX.XXX.XXX.XXX
crypto map both 10 set transform-set myset
crypto map both 15 ipsec-isakmp
crypto map both 15 match address 130
crypto map both 15 set peer XXX.XXX.XXX.XXX
crypto map both 15 set transform-set myset
crypto map both 30 ipsec-isakmp dynamic dialup
crypto map both client configuration address initiate
crypto map both interface outside
crypto map dialin 30 ipsec-isakmp dynamic dialup
crypto map dialin client configuration address initiate
isakmp enable outside
isakmp key ******** address XXX.XXX.XXX.XXX  netmask 255.255.255.255 no-xauth no-
config-mode
isakmp key ******** address XXX.XXX.XXX.XXX  netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
vpngroup group idle-time 1800
vpngroup VPNlittle address-pool client-pool
vpngroup VPNlittle dns-server 192.168.0.9 195.8.69.7
vpngroup VPNlittle wins-server 192.168.0.9 195.8.69.7
vpngroup VPNlittle idle-time 1800
vpngroup VPNlittle password ********
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.7.0 255.255.255.0 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:4bd8d03b9d7ced3c7f5a71bb39906594
: end
Not sure if this helps,
I have just noticed in the vpn log on the drayteck router the log says
initiating IKE Main Mon the log saysode  to (ip) goes to the correct ip of the site I am trying to connect to.
But the next line on the log says
Responding to Main Mode from (ip) which is the ip address of the other site which has already connected to the pix.

The problem has been resolved by a Draytek engineer. The Config on the Draytek needed to be modified.