Cisco ASA 5505 to Draytek Vigor 2860 VPN

We have a Cisco ASA 5505 that has several site-site VPN links to other Cisco devices.  We want to add a VPN to a new site which has a Draytek 2860.  We can configure the VPN at both ends (using e.g. but always get the following sort of debug errors from the Cisco:

Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

We have tried many different IKE / IPSEC settings on both ends, with no luck so far.  There's no requirement to use anything particular (AES, 3DES, etc.) - it just needs to work.

What are the specific settings (or one set of them) for each end that are known to work together?  Thanks.
David HaycoxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The error code looks like a mis-match between Phase 1 and Phase 2. You may have one of the ends reversed.

I would first debug and look at getting Phase 1 working first.

Do you have the IP's in the object groups and ACL's ?
David HaycoxAuthor Commented:
Yes, that makes sense - but with the interfaces being different at each end it's tricky to spot the problem.

Can you be more specific on how to debug phase 1 please?

IPs are indeed in object groups and ACLs as detailed in the link above - the wizard takes care of that for you I think.
Pete LongTechnical ConsultantCommented:
Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

make sure this is on

My notes from last time I did a Draytek to Cisco VPN

Vigor Draytek Site to Site VPN

1. VPN and Remote Access > IPSec General Setup > Enter then re-enter the Pre Shared Key
2. VPN and Remote Access > LAN to LAN > Double Click the first free entry
3. Set a Profile Name > Enable this profile > Tick Always On
4. Dial Out settings > IPSec tunnel > In server IP host name enter the IP of the other end
5. Select IKE Pre Shared key and enter the shared secret
6. Select High ESP > Advanced button > Enable PFS > OK
7. Change High ESP to 3DES with authentication
8. Enter MY WAN IP > Remote Gateway IP > Remote Network IP and Mask
9. OK

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Pete LongTechnical ConsultantCommented:
Check the Diffie-Hellman group you have configured, to ensure both ends match.

David HaycoxAuthor Commented:
That's pretty much how I have it already, will double-check though.  What about the Cisco end?  Thanks.
David HaycoxAuthor Commented:
Got it working thanks to your excellent advice!

I didn't need to put the pre-shared key in IPSEC General setup (have never needed it before, I thought that was just for remote dial-in users, not site to site VPNs) but I didn't have Remote Gateway IP set (have never needed it before, got several Draytek-Draytek VPNs working fine without this - but it makes sense it should be there).

The Cisco end was pretty much just following the site-site VPN wizard on defaults.  I did have to fiddle about a bit to make the Draytek dial-out properly - possibly setting PFS to group 5 on the Cisco end - but it's working an absolute treat now.  Many thanks!
Pete LongTechnical ConsultantCommented:
Nice One, Glad I could be some help. ThanQ
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.