Site-to-Site VPN - Cisco 1801 to Draytek Vigor 2850

Hi there,

I'm having issues trying to set a site-to-site (lan to lan) VPN up between two sites.  Site 1 has a Cisco 1801 and site 2 has a Draytek Vigor 2850.  I'm more familiar with the Cisco side so I'm guessing I'm doing somthing wrong with the Draytek.  The end result is that I can't seem to bring the tunnel UP.

For the purpose of this doc the IPs are as follows:

                    WAN                          LOCAL
SITE 1          1.1.1.1                        172.16.16.254     255.255.240.0
SITE 2          2.2.2.2.                       192.168.1.1         255.255.255.0

SITE 1 Cisco config below (& SITE 2 Draytek config attached):

crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cslcsl01 address 2.2.2.2
!
!
crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
crypto ipsec transform-set TSET2 esp-des esp-md5-hmac
crypto ipsec transform-set TSET3 esp-aes 256 esp-sha-hmac
!
crypto map CRMAP local-address Dialer0
crypto map CRMAP 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set TSET3
 match address 198
!
interface Dialer0
 mtu 1483
 bandwidth 350
 ip address negotiated
 ip access-group 199 in
 ip access-group 150 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname Cxxxxxx@hg43.btclick.com
 ppp chap password 0 xxxxxxxxx
 crypto map CRMAP
 max-reserved-bandwidth 100
 service-policy output QOS-OUT
!
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
andrewprouseAsked:
Who is Participating?
 
fgasimzadeConnect With a Mentor Commented:
70 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255

This line must be 25, not 70
0
 
andrewprouseAuthor Commented:
Ammendment:   If I issue the following commands on the Cisco router:

clear cry ses
clear cry sa
clear cry isa

I get the following debug message:

*Aug 14 08:05:53.967: No peer struct to get peer description
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
We are missing the Draytek config ;-)

If you are more familiar with the Cisco part, I recommend to try to initiate traffic from Draytek, and debug on Cisco. That should show what the Draytek expects, and will most likely reveal the culprit.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
andrewprouseAuthor Commented:
Sorry...Draytek config attached.

The only option to initiate traffic on the Draytek is to hit the DIAL button on the VPN Connection Manager.  When I press this literally nothing happens.  No error messages & no debug info on the Cisco
Draytek-Config.docx
0
 
fgasimzadeCommented:
Can we see ip access lists 199 and 150?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I'm no expert on any of Draytek or Cisco, and have only configured a Draytek once a long time ago, but there are some points which puzzle me:
In Cisco config there are PPP authentication information for Dialer0. IPSec does not use such.
The Draytek has a general section for entering the PSK, and a specific section. The PSK is entered in the specific section only. Maybe you should also set it in the general one.
Anyway, as long as the remote gateway address and generic protocol (PPTP, IPSec, ...) is correct, you should see at least the connection attempt.
0
 
andrewprouseAuthor Commented:
There are some old rules within these ACLs from a previous site-to-site VPN to the network 172.16.0.0   255.255.240.0.

ip access-list logging interval 10
no logging trap
access-list 1 permit 172.16.16.0 0.0.15.255
access-list 101 deny   ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 101 deny   ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 172.16.16.0 0.0.15.255 any
access-list 101 deny   ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 110 permit tcp any any range 50000 59999
access-list 110 permit udp any any range 50000 59999
access-list 120 permit ip host 172.16.30.1 host 172.16.14.1
access-list 125 permit ip any any dscp ef
access-list 125 permit ip any any
access-list 150 permit udp any any eq 50561 log-input
access-list 150 permit udp any any
access-list 150 permit tcp any any
access-list 150 permit ip any any
access-list 155 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 192.168.200.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 172.16.16.0 0.0.15.255
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
access-list 199 permit tcp any any established
access-list 199 permit udp any eq domain any
access-list 199 permit udp host 217.36.231.143 any eq non500-isakmp
access-list 199 permit udp host 217.36.231.143 any eq isakmp
access-list 199 permit esp host 217.36.231.143 any
access-list 199 permit ahp host 217.36.231.143 any
access-list 199 deny   ip host 255.255.255.255 any
access-list 199 deny   ip 127.0.0.0 0.255.255.255 any
access-list 199 permit tcp any any eq 5801
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp any any eq 143
access-list 199 permit tcp any any eq smtp
access-list 199 permit tcp any any eq 3389
access-list 199 permit tcp any any eq 5903
access-list 199 permit tcp any any eq 81
access-list 199 permit tcp any any eq 443
access-list 199 permit tcp any any eq 993
access-list 199 permit gre any any
access-list 199 permit tcp any any eq telnet
access-list 199 permit icmp any any
access-list 199 permit tcp any any eq 8081
access-list 199 permit tcp any any eq 52222
access-list 199 permit udp any any eq 50561
access-list 199 permit tcp any any eq 123
access-list 199 permit tcp any any eq 1234
access-list 199 permit udp any any eq 50562
access-list 199 permit udp any any eq 50563
access-list 199 permit tcp any any eq 22315
access-list 199 permit udp any any eq 22315
access-list 199 permit tcp any any eq ftp
access-list 199 permit tcp any any range 65500 65510
access-list 199 permit ip 172.16.0.0 0.0.15.255 any
access-list 199 permit udp any any eq ntp
access-list 199 permit tcp any any eq 22
access-list 199 permit udp any any eq 22
access-list 199 permit tcp any any eq 5900
access-list 199 permit tcp any any eq 5901
access-list 199 permit tcp any any eq 5902
access-list 199 permit tcp any any eq 5800
access-list 199 permit tcp any any eq 50561
access-list 199 permit udp any any eq 389
access-list 199 permit tcp any any eq 445
access-list 199 permit tcp any any eq 444
access-list 199 permit tcp any any eq 5061
access-list 199 permit udp any any eq 3478
access-list 199 permit udp any any range 50000 59999
access-list 199 permit tcp any any range 50000 59999
access-list 199 permit tcp any any eq 446
access-list 199 permit ip 192.168.100.0 0.0.0.255 any
access-list 199 permit tcp any any eq 4443
access-list 199 permit tcp any any eq www
access-list 199 permit udp any any eq 3389
access-list 199 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.240.0
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit tcp any any eq 500
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
dialer-list 1 protocol ip permit
0
 
andrewprouseAuthor Commented:
Ok, the VPN now seems to be up.  I had to change the 'WAN IP' & 'Remote Gateway IP' to 0.0.0.0 on the LAN-to-LAN setup page (must be a Draytek thing).

My issue now is that I can't seem to ping accross the VPN.  Would this be an ACL thing?
0
 
andrewprouseAuthor Commented:
DEBUG shows

*Aug 14 09:16:33.171: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
0
 
fgasimzadeCommented:
No, you have already permitted everything you need in access lists

access-list 199 permit ip 192.168.1.0 0.0.0.255 any

access-list 150 permit ip any any

Make sure you have routing properly configured
0
 
fgasimzadeCommented:
You would also need to configure NAT exempt on the router

Can you post your NAT config?
0
 
andrewprouseAuthor Commented:
I have a static route of:         S    192.168.1.0/24 [1/0] via 2.2.2.2

If I do a sh cry ipsec sa I've noticed the following:

protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 273


NAT config is as follows:

ip nat pool AV_Edge 192.168.200.20 192.168.200.20 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 172.16.17.33 443 interface Dialer0 443
ip nat inside source static udp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static tcp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static udp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 80 interface Dialer0 80
ip nat inside source static tcp 172.16.17.33 25 interface Dialer0 25
ip nat inside source static tcp 172.16.17.32 1723 interface Dialer0 1723
ip nat inside source static tcp 172.16.17.33 143 interface Dialer0 143
ip nat inside source static tcp 172.16.17.33 993 interface Dialer0 993
ip nat inside source static tcp 172.16.17.33 21 interface Dialer0 21
ip nat inside source static tcp 172.16.17.33 65500 interface Dialer0 65500
ip nat inside source static tcp 172.16.17.33 65501 interface Dialer0 65501
ip nat inside source static tcp 172.16.17.33 65502 interface Dialer0 65502
ip nat inside source static tcp 172.16.17.33 65503 interface Dialer0 65503
ip nat inside source static tcp 172.16.17.33 65504 interface Dialer0 65504
ip nat inside source static tcp 172.16.17.33 65505 interface Dialer0 65505
ip nat inside source static tcp 172.16.17.33 65506 interface Dialer0 65506
ip nat inside source static tcp 172.16.17.33 65507 interface Dialer0 65507
ip nat inside source static tcp 172.16.17.33 65508 interface Dialer0 65508
ip nat inside source static tcp 172.16.17.33 65509 interface Dialer0 65509
ip nat inside source static tcp 172.16.17.33 65510 interface Dialer0 65510
ip nat inside source static udp 172.16.17.31 123 interface Dialer0 123
ip nat inside source static udp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.20.16 5900 interface Dialer0 5900
ip nat inside source static tcp 172.16.20.16 5901 interface Dialer0 5901
ip nat inside source static tcp 172.16.20.16 5902 interface Dialer0 5902
ip nat inside source static tcp 172.16.20.16 5903 interface Dialer0 5903
ip nat inside source static tcp 172.16.20.16 5800 interface Dialer0 5800
ip nat inside source static tcp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 444 interface Dialer0 444
ip nat inside source static tcp 192.168.200.20 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.200.20 3478 interface Dialer0 3478
ip nat inside source static tcp 192.168.200.20 4443 interface Dialer0 4443
ip nat inside source static tcp 192.168.200.20 8080 interface Dialer0 8080
ip nat inside source static tcp 192.168.200.20 446 interface Dialer0 446
ip nat inside source static tcp 172.16.17.10 3389 interface Dialer0 3389
ip nat inside source static tcp 172.16.16.10 52222 interface Dialer0 52222
ip nat inside source route-map RMAP-1 interface Dialer0 overload
ip nat inside destination list 110 pool AV_Edge
!
!
route-map RMAP-1 permit 1
 match ip address 101
!
interface Dialer0
 ip nat outside
!
interface Vlan1
 ip nat inside
!
0
 
fgasimzadeCommented:
What is your default gateway on Cisco network?
0
 
andrewprouseAuthor Commented:
the Router's VLAN1 IP Address:  172.16.16.254
0
 
fgasimzadeCommented:
Add this to your config

access-list 101 deny   ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255

I suggest adding it after access-list 101 deny   ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
0
 
andrewprouseAuthor Commented:
Sorry didn't notice your post.....   I've just added your command to ACL 101 but I don;t seem to be any further forward.

The VPN appreas UP if I use Draytek's aggressive mode, but as soon as I put it back to 'main mode' the VPN never starts.  In both modes however the Cisco debug is plaugued with messages about 'purging nodes':


BRISTOL-RTR#
*Aug 14 11:49:17.990: ISAKMP:(2014):purging node -615247504
BRISTOL-RTR#
*Aug 14 11:49:28.326: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:28.326: ISAKMP: set new node -1337222847 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014): processing HASH payload. message ID = -1337222847
*Aug 14 11:49:28.330: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -1337222847, sa = 851CD7B4
*Aug 14 11:49:28.330: ISAKMP:(2014):deleting node -1337222847 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug 14 11:49:28.330: ISAKMP:(2014):DPD/R_U_THERE received from peer 87.194.205.145, sequence 0xB60
*Aug 14 11:49:28.330: ISAKMP: set new node 1339048727 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2219908288, message ID = 1339048727
*Aug 14 11:49:28.330: ISAKMP:(2014): seq. no 0xB60
*Aug 14 11:49:28.330: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:28.330: ISAKMP:(2014):purging node 1339048727
BRISTOL-RTR#
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

BRISTOL-RTR#
*Aug 14 11:49:33.074: ISAKMP:(2014):purging node 1343386404
BRISTOL-RTR#
*Aug 14 11:49:43.414: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP: set new node 621411317 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014): processing HASH payload. message ID = 621411317
*Aug 14 11:49:43.414: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 621411317, sa = 851CD7B4
*Aug 14 11:49:43.414: ISAKMP:(2014):deleting node 621411317 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:43.414: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:43.414: ISAKMP:(2014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug 14 11:49:43.414: ISAKMP:(2014):DPD/R_U_THERE received from peer 87.194.205.145, sequence 0xB61
*Aug 14 11:49:43.414: ISAKMP: set new node -737335812 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 2219908288, message ID = -737335812
*Aug 14 11:49:43.414: ISAKMP:(2014): seq. no 0xB61
*Aug 14 11:49:43.414: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:43.414: ISAKMP:(2014):purging node -737335812
0
 
andrewprouseAuthor Commented:
I'm also getting a lot of these messages:

*Aug 14 11:53:48.754: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
0
 
fgasimzadeCommented:
Can you do show crypto ipsec again please?
0
 
andrewprouseAuthor Commented:
BRISTOL-RTR#sh cry ipsec sa

interface: Dialer0
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 93

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE6(2344013030)

     inbound esp sas:
      spi: 0x7D58F445(2102981701)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554930/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE6(2344013030)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554950/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 93

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE6(2344013030)

     inbound esp sas:
      spi: 0x7D58F445(2102981701)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554930/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE6(2344013030)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4554950/1549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
BRISTOL-RTR#
0
 
fgasimzadeCommented:
Can you post sh ip access-list 101?
0
 
andrewprouseAuthor Commented:
BRISTOL-RTR#sh ip access 101
Extended IP access list 101
    10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (3826 matches)
    20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
    30 permit ip 172.16.16.0 0.0.15.255 any (350164 matches)
    40 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    50 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
    60 permit ip 192.168.200.0 0.0.0.255 any (5228 matches)
    70 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
0
 
andrewprouseAuthor Commented:
Changed to 102:


route-map RMAP-1 permit 1
 match ip address 102
!

BRISTOL-RTR#sh ip access 102
Extended IP access list 102
    10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
    20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
    30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
    40 permit ip 172.16.16.0 0.0.15.255 any
    50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
    70 permit ip 192.168.200.0 0.0.0.255 any
BRISTOL-RTR#
0
 
andrewprouseAuthor Commented:
BRISTOL-RTR#sh ip access 102
Extended IP access list 102
    10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (6 matches)
    20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
    30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
    40 permit ip 172.16.16.0 0.0.15.255 any (28 matches)
    50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
    70 permit ip 192.168.200.0 0.0.0.255 any (4 matches)
0
 
fgasimzadeCommented:
Ok, now see if you can ping the other side. If no, post the show crypto ipsec again
0
 
andrewprouseAuthor Commented:
Still no reply from the other side.

BRISTOL-RTR#sh cry ipsec sa

interface: Dialer0
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 115

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE7(2344013031)

     inbound esp sas:
      spi: 0xF1C686AE(4056319662)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497036/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE7(2344013031)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497038/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3
    Crypto map tag: CRMAP, local addr 81.149.56.229

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 115

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x8BB6CCE7(2344013031)

     inbound esp sas:
      spi: 0xF1C686AE(4056319662)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497036/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8BB6CCE7(2344013031)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
        sa timing: remaining key lifetime (k/sec): (4497038/3247)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
     path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
BRISTOL-RTR#
0
 
fgasimzadeCommented:
local  ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 87.194.205.145 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 115


0 here means that packets do not reach the router (routing problem) or NAT problem

From where are you pinging?
0
 
andrewprouseAuthor Commented:
Although the VPN comes UP I'm still getting the following:

*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:07:27.058: ISAKMP:(2017):purging node 2002373508
0
 
fgasimzadeCommented:
Where are you pinging from?

How do you see that the VPN is up?
0
 
andrewprouseAuthor Commented:
Ah, we may have just got somewhere.

After your change to ACL 102 I cleared all tunnels and sessions the re-initiated the VPN from the draytek side.  I can now ping from the Cisco router's VLAN1 interface to the Draytek router and beyond to LAN devices.

I am now just trying to get the ping working the other way.
0
 
fgasimzadeCommented:
For testing, you need to ping from a PC to PC, not from vpn devices
0
 
andrewprouseAuthor Commented:
I can ping from SITE 1 PC to SITE 2 LAN DEVICE

I'm just trying to arrange access to a PC on site 2 to try pinging the other way.

SITE 2 router cannot ping SITE 1 router or LAN, but you could be right so I'll keep trying to get access to a PC on SITE 2
0
 
andrewprouseAuthor Commented:
fgasimzade...I think we've done it :)

It must have been the NAT rule that you suggested I add to the NAT ACL.

Strange though that I'm still getting these debug messages:

*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:55.750: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:56.514: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:57.274: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

However, I don't really mind, the main thing is that it is up and working....thank you :)
0
 
fgasimzadeCommented:
have a good day!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.