?
Solved

Site-to-Site VPN - Cisco 1801 to Draytek Vigor 2850

Posted on 2012-08-14
34
Medium Priority
?
3,717 Views
Last Modified: 2012-08-14
Hi there,

I'm having issues trying to set a site-to-site (lan to lan) VPN up between two sites.  Site 1 has a Cisco 1801 and site 2 has a Draytek Vigor 2850.  I'm more familiar with the Cisco side so I'm guessing I'm doing somthing wrong with the Draytek.  The end result is that I can't seem to bring the tunnel UP.

For the purpose of this doc the IPs are as follows:

                    WAN                          LOCAL
SITE 1          1.1.1.1                        172.16.16.254     255.255.240.0
SITE 2          2.2.2.2.                       192.168.1.1         255.255.255.0

SITE 1 Cisco config below (& SITE 2 Draytek config attached):

crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cslcsl01 address 2.2.2.2
!
!
crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
crypto ipsec transform-set TSET2 esp-des esp-md5-hmac
crypto ipsec transform-set TSET3 esp-aes 256 esp-sha-hmac
!
crypto map CRMAP local-address Dialer0
crypto map CRMAP 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set TSET3
 match address 198
!
interface Dialer0
 mtu 1483
 bandwidth 350
 ip address negotiated
 ip access-group 199 in
 ip access-group 150 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname Cxxxxxx@hg43.btclick.com
 ppp chap password 0 xxxxxxxxx
 crypto map CRMAP
 max-reserved-bandwidth 100
 service-policy output QOS-OUT
!
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
0
Comment
Question by:andrewprouse
  • 18
  • 14
  • 2
34 Comments
 

Author Comment

by:andrewprouse
ID: 38290973
Ammendment:   If I issue the following commands on the Cisco router:

clear cry ses
clear cry sa
clear cry isa

I get the following debug message:

*Aug 14 08:05:53.967: No peer struct to get peer description
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 38290983
We are missing the Draytek config ;-)

If you are more familiar with the Cisco part, I recommend to try to initiate traffic from Draytek, and debug on Cisco. That should show what the Draytek expects, and will most likely reveal the culprit.
0
 

Author Comment

by:andrewprouse
ID: 38290986
Sorry...Draytek config attached.

The only option to initiate traffic on the Draytek is to hit the DIAL button on the VPN Connection Manager.  When I press this literally nothing happens.  No error messages & no debug info on the Cisco
Draytek-Config.docx
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291008
Can we see ip access lists 199 and 150?
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 38291021
I'm no expert on any of Draytek or Cisco, and have only configured a Draytek once a long time ago, but there are some points which puzzle me:
In Cisco config there are PPP authentication information for Dialer0. IPSec does not use such.
The Draytek has a general section for entering the PSK, and a specific section. The PSK is entered in the specific section only. Maybe you should also set it in the general one.
Anyway, as long as the remote gateway address and generic protocol (PPTP, IPSec, ...) is correct, you should see at least the connection attempt.
0
 

Author Comment

by:andrewprouse
ID: 38291024
There are some old rules within these ACLs from a previous site-to-site VPN to the network 172.16.0.0   255.255.240.0.

ip access-list logging interval 10
no logging trap
access-list 1 permit 172.16.16.0 0.0.15.255
access-list 101 deny   ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 101 deny   ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 172.16.16.0 0.0.15.255 any
access-list 101 deny   ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 110 permit tcp any any range 50000 59999
access-list 110 permit udp any any range 50000 59999
access-list 120 permit ip host 172.16.30.1 host 172.16.14.1
access-list 125 permit ip any any dscp ef
access-list 125 permit ip any any
access-list 150 permit udp any any eq 50561 log-input
access-list 150 permit udp any any
access-list 150 permit tcp any any
access-list 150 permit ip any any
access-list 155 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 192.168.200.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 172.16.16.0 0.0.15.255
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
access-list 199 permit tcp any any established
access-list 199 permit udp any eq domain any
access-list 199 permit udp host 217.36.231.143 any eq non500-isakmp
access-list 199 permit udp host 217.36.231.143 any eq isakmp
access-list 199 permit esp host 217.36.231.143 any
access-list 199 permit ahp host 217.36.231.143 any
access-list 199 deny   ip host 255.255.255.255 any
access-list 199 deny   ip 127.0.0.0 0.255.255.255 any
access-list 199 permit tcp any any eq 5801
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp any any eq 143
access-list 199 permit tcp any any eq smtp
access-list 199 permit tcp any any eq 3389
access-list 199 permit tcp any any eq 5903
access-list 199 permit tcp any any eq 81
access-list 199 permit tcp any any eq 443
access-list 199 permit tcp any any eq 993
access-list 199 permit gre any any
access-list 199 permit tcp any any eq telnet
access-list 199 permit icmp any any
access-list 199 permit tcp any any eq 8081
access-list 199 permit tcp any any eq 52222
access-list 199 permit udp any any eq 50561
access-list 199 permit tcp any any eq 123
access-list 199 permit tcp any any eq 1234
access-list 199 permit udp any any eq 50562
access-list 199 permit udp any any eq 50563
access-list 199 permit tcp any any eq 22315
access-list 199 permit udp any any eq 22315
access-list 199 permit tcp any any eq ftp
access-list 199 permit tcp any any range 65500 65510
access-list 199 permit ip 172.16.0.0 0.0.15.255 any
access-list 199 permit udp any any eq ntp
access-list 199 permit tcp any any eq 22
access-list 199 permit udp any any eq 22
access-list 199 permit tcp any any eq 5900
access-list 199 permit tcp any any eq 5901
access-list 199 permit tcp any any eq 5902
access-list 199 permit tcp any any eq 5800
access-list 199 permit tcp any any eq 50561
access-list 199 permit udp any any eq 389
access-list 199 permit tcp any any eq 445
access-list 199 permit tcp any any eq 444
access-list 199 permit tcp any any eq 5061
access-list 199 permit udp any any eq 3478
access-list 199 permit udp any any range 50000 59999
access-list 199 permit tcp any any range 50000 59999
access-list 199 permit tcp any any eq 446
access-list 199 permit ip 192.168.100.0 0.0.0.255 any
access-list 199 permit tcp any any eq 4443
access-list 199 permit tcp any any eq www
access-list 199 permit udp any any eq 3389
access-list 199 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.240.0
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit tcp any any eq 500
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
dialer-list 1 protocol ip permit
0
 

Author Comment

by:andrewprouse
ID: 38291092
Ok, the VPN now seems to be up.  I had to change the 'WAN IP' & 'Remote Gateway IP' to 0.0.0.0 on the LAN-to-LAN setup page (must be a Draytek thing).

My issue now is that I can't seem to ping accross the VPN.  Would this be an ACL thing?
0
 

Author Comment

by:andrewprouse
ID: 38291101
DEBUG shows

*Aug 14 09:16:33.171: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291118
No, you have already permitted everything you need in access lists

access-list 199 permit ip 192.168.1.0 0.0.0.255 any

access-list 150 permit ip any any

Make sure you have routing properly configured
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291130
You would also need to configure NAT exempt on the router

Can you post your NAT config?
0
 

Author Comment

by:andrewprouse
ID: 38291231
I have a static route of:         S    192.168.1.0/24 [1/0] via 2.2.2.2

If I do a sh cry ipsec sa I've noticed the following:

protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 273


NAT config is as follows:

ip nat pool AV_Edge 192.168.200.20 192.168.200.20 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 172.16.17.33 443 interface Dialer0 443
ip nat inside source static udp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static tcp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static udp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 80 interface Dialer0 80
ip nat inside source static tcp 172.16.17.33 25 interface Dialer0 25
ip nat inside source static tcp 172.16.17.32 1723 interface Dialer0 1723
ip nat inside source static tcp 172.16.17.33 143 interface Dialer0 143
ip nat inside source static tcp 172.16.17.33 993 interface Dialer0 993
ip nat inside source static tcp 172.16.17.33 21 interface Dialer0 21
ip nat inside source static tcp 172.16.17.33 65500 interface Dialer0 65500
ip nat inside source static tcp 172.16.17.33 65501 interface Dialer0 65501
ip nat inside source static tcp 172.16.17.33 65502 interface Dialer0 65502
ip nat inside source static tcp 172.16.17.33 65503 interface Dialer0 65503
ip nat inside source static tcp 172.16.17.33 65504 interface Dialer0 65504
ip nat inside source static tcp 172.16.17.33 65505 interface Dialer0 65505
ip nat inside source static tcp 172.16.17.33 65506 interface Dialer0 65506
ip nat inside source static tcp 172.16.17.33 65507 interface Dialer0 65507
ip nat inside source static tcp 172.16.17.33 65508 interface Dialer0 65508
ip nat inside source static tcp 172.16.17.33 65509 interface Dialer0 65509
ip nat inside source static tcp 172.16.17.33 65510 interface Dialer0 65510
ip nat inside source static udp 172.16.17.31 123 interface Dialer0 123
ip nat inside source static udp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.20.16 5900 interface Dialer0 5900
ip nat inside source static tcp 172.16.20.16 5901 interface Dialer0 5901
ip nat inside source static tcp 172.16.20.16 5902 interface Dialer0 5902
ip nat inside source static tcp 172.16.20.16 5903 interface Dialer0 5903
ip nat inside source static tcp 172.16.20.16 5800 interface Dialer0 5800
ip nat inside source static tcp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 444 interface Dialer0 444
ip nat inside source static tcp 192.168.200.20 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.200.20 3478 interface Dialer0 3478
ip nat inside source static tcp 192.168.200.20 4443 interface Dialer0 4443
ip nat inside source static tcp 192.168.200.20 8080 interface Dialer0 8080
ip nat inside source static tcp 192.168.200.20 446 interface Dialer0 446
ip nat inside source static tcp 172.16.17.10 3389 interface Dialer0 3389
ip nat inside source static tcp 172.16.16.10 52222 interface Dialer0 52222
ip nat inside source route-map RMAP-1 interface Dialer0 overload
ip nat inside destination list 110 pool AV_Edge
!
!
route-map RMAP-1 permit 1
 match ip address 101
!
interface Dialer0
 ip nat outside
!
interface Vlan1
 ip nat inside
!
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291237
What is your default gateway on Cisco network?
0
 

Author Comment

by:andrewprouse
ID: 38291242
the Router's VLAN1 IP Address:  172.16.16.254
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291248
Add this to your config

access-list 101 deny   ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255

I suggest adding it after access-list 101 deny   ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
0
 

Author Comment

by:andrewprouse
ID: 38291527
Sorry didn't notice your post.....   I've just added your command to ACL 101 but I don;t seem to be any further forward.

The VPN appreas UP if I use Draytek's aggressive mode, but as soon as I put it back to 'main mode' the VPN never starts.  In both modes however the Cisco debug is plaugued with messages about 'purging nodes':


BRISTOL-RTR#
*Aug 14 11:49:17.990: ISAKMP:(2014):purging node -615247504
BRISTOL-RTR#
*Aug 14 11:49:28.326: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:28.326: ISAKMP: set new node -1337222847 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014): processing HASH payload. message ID = -1337222847
*Aug 14 11:49:28.330: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -1337222847, sa = 851CD7B4
*Aug 14 11:49:28.330: ISAKMP:(2014):deleting node -1337222847 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug 14 11:49:28.330: ISAKMP:(2014):DPD/R_U_THERE received from peer 87.194.205.145, sequence 0xB60
*Aug 14 11:49:28.330: ISAKMP: set new node 1339048727 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2219908288, message ID = 1339048727
*Aug 14 11:49:28.330: ISAKMP:(2014): seq. no 0xB60
*Aug 14 11:49:28.330: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:28.330: ISAKMP:(2014):purging node 1339048727
BRISTOL-RTR#
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

BRISTOL-RTR#
*Aug 14 11:49:33.074: ISAKMP:(2014):purging node 1343386404
BRISTOL-RTR#
*Aug 14 11:49:43.414: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP: set new node 621411317 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014): processing HASH payload. message ID = 621411317
*Aug 14 11:49:43.414: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 621411317, sa = 851CD7B4
*Aug 14 11:49:43.414: ISAKMP:(2014):deleting node 621411317 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:43.414: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:43.414: ISAKMP:(2014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug 14 11:49:43.414: ISAKMP:(2014):DPD/R_U_THERE received from peer 87.194.205.145, sequence 0xB61
*Aug 14 11:49:43.414: ISAKMP: set new node -737335812 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2219908288, message ID = -737335812
*Aug 14 11:49:43.414: ISAKMP:(2014): seq. no 0xB61
*Aug 14 11:49:43.414: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:43.414: ISAKMP:(2014):purging node -737335812
0
 

Author Comment

by:andrewprouse
ID: 38291530
I'm also getting a lot of these messages:

*Aug 14 11:53:48.754: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291649
Can you do show crypto ipsec again please?
0
 

Author Comment

by:andrewprouse
ID: 38291662
BRISTOL-RTR#sh cry ipsec sa

interface: Dialer0
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 93

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE6(2344013030)

     inbound esp sas:
      spi: 0x7D58F445(2102981701)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554930/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE6(2344013030)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554950/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 93

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE6(2344013030)

     inbound esp sas:
      spi: 0x7D58F445(2102981701)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554930/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE6(2344013030)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554950/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
BRISTOL-RTR#
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291671
Can you post sh ip access-list 101?
0
 

Author Comment

by:andrewprouse
ID: 38291673
BRISTOL-RTR#sh ip access 101
Extended IP access list 101
    10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (3826 matches)
    20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
    30 permit ip 172.16.16.0 0.0.15.255 any (350164 matches)
    40 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    50 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
    60 permit ip 192.168.200.0 0.0.0.255 any (5228 matches)
    70 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 2000 total points
ID: 38291675
70 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255

This line must be 25, not 70
0
 

Author Comment

by:andrewprouse
ID: 38291702
Changed to 102:


route-map RMAP-1 permit 1
 match ip address 102
!

BRISTOL-RTR#sh ip access 102
Extended IP access list 102
    10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
    20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
    30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
    40 permit ip 172.16.16.0 0.0.15.255 any
    50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
    70 permit ip 192.168.200.0 0.0.0.255 any
BRISTOL-RTR#
0
 

Author Comment

by:andrewprouse
ID: 38291704
BRISTOL-RTR#sh ip access 102
Extended IP access list 102
    10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (6 matches)
    20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
    30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
    40 permit ip 172.16.16.0 0.0.15.255 any (28 matches)
    50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
    70 permit ip 192.168.200.0 0.0.0.255 any (4 matches)
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291711
Ok, now see if you can ping the other side. If no, post the show crypto ipsec again
0
 

Author Comment

by:andrewprouse
ID: 38291719
Still no reply from the other side.

BRISTOL-RTR#sh cry ipsec sa

interface: Dialer0
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 115

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE7(2344013031)

     inbound esp sas:
      spi: 0xF1C686AE(4056319662)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497036/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE7(2344013031)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497038/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 115

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE7(2344013031)

     inbound esp sas:
      spi: 0xF1C686AE(4056319662)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497036/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE7(2344013031)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497038/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
BRISTOL-RTR#
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291732
local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 115


0 here means that packets do not reach the router (routing problem) or NAT problem

From where are you pinging?
0
 

Author Comment

by:andrewprouse
ID: 38291733
Although the VPN comes UP I'm still getting the following:

*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:07:27.058: ISAKMP:(2017):purging node 2002373508
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291758
Where are you pinging from?

How do you see that the VPN is up?
0
 

Author Comment

by:andrewprouse
ID: 38291781
Ah, we may have just got somewhere.

After your change to ACL 102 I cleared all tunnels and sessions the re-initiated the VPN from the draytek side.  I can now ping from the Cisco router's VLAN1 interface to the Draytek router and beyond to LAN devices.

I am now just trying to get the ping working the other way.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291792
For testing, you need to ping from a PC to PC, not from vpn devices
0
 

Author Comment

by:andrewprouse
ID: 38291809
I can ping from SITE 1 PC to SITE 2 LAN DEVICE

I'm just trying to arrange access to a PC on site 2 to try pinging the other way.

SITE 2 router cannot ping SITE 1 router or LAN, but you could be right so I'll keep trying to get access to a PC on SITE 2
0
 

Author Comment

by:andrewprouse
ID: 38291881
fgasimzade...I think we've done it :)

It must have been the NAT rule that you suggested I add to the NAT ACL.

Strange though that I'm still getting these debug messages:

*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:55.750: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:56.514: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:57.274: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

However, I don't really mind, the main thing is that it is up and working....thank you :)
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38291934
have a good day!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question