One Way tunnel between Cisco and Draytek

Hi there,
I've setup an IPSEC tunnel between a cisco router and Draytek router. The tunnel seems to have come up but is one sided only. Meaning that when i do show crypto ipsec sa, it shows me only packets decrypted but zero packet encrypted. On Cisco, it shows recieve error. At Draytek end, it shows packets are sent but not getting recieved. I've attached the configuration of Cisco and Draytek snapshots. Can you please help in finding out the issue ! Thanks,

Cisco Router Config

Open in new window

draytek.docx

Cisco Router config attached !

LondonOffice#sh running-config
Building configuration...

Current configuration : 4643 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3

username admin privilege 15 secret xxx
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 3600
!
crypto isakmp policy 15
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxx address 213.200.212.146 no-xauth
crypto isakmp key xxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set tset esp-aes
 mode transport
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile cisco
 set transform-set tset
!
!
crypto map cm-cryptomap 1 ipsec-isakmp
 set peer 213.200.212.146
 set transform-set cm-transformset-1
 match address 100
!
!
!
interface Tunnel0
 ip address 172.20.1.4 255.255.0.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp map multicast x.x.x.
 ip nhrp map 172.20.1.1 x.x.x.x
 ip nhrp network-id 1
 ip nhrp nhs x.x.x.x
 ip nhrp cache non-authoritative
 ip tcp adjust-mss 1360
 tunnel source 94.193.99.6
 tunnel mode gre multipoint
 tunnel key xxx
 tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
 ip address 10.100.10.126 255.255.255.128
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 94.193.99.6 255.255.248.0
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map cm-cryptomap
!
router eigrp 2
 network 10.100.10.0 0.0.0.127
 network 172.20.0.0
 distance eigrp 180 180
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 94.193.96.1

!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 10.100.10.0 0.0.0.255
access-list 100 permit ip 10.100.10.0 0.0.0.127 10.101.4.0 0.0.0.127
!
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!Disconnect IMMEDIATELY if you are not an a
uthorized user^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input all
!
scheduler allocate 20000 1000
end

Open in new window

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nabeel92Author Commented: 2010-03-25

LVL 1

CaptnassarCommented: 2010-03-25

try using tunnel mode instead of transport on the CISCO router

nabeel92Author Commented: 2010-03-28

ok resolved it. Had to deny VPN destinations from getting NATTED. all good now !

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

One Way tunnel between Cisco and Draytek

Who is Participating?