• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3041
  • Last Modified:

Cisco ASA 5505 to Draytek Vigor 2860 VPN

We have a Cisco ASA 5505 that has several site-site VPN links to other Cisco devices.  We want to add a VPN to a new site which has a Draytek 2860.  We can configure the VPN at both ends (using e.g. http://www.draytek.com/index.php?option=com_k2&view=item&id=2027&Itemid=293&lang=en) but always get the following sort of debug errors from the Cisco:

Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

We have tried many different IKE / IPSEC settings on both ends, with no luck so far.  There's no requirement to use anything particular (AES, 3DES, etc.) - it just needs to work.

What are the specific settings (or one set of them) for each end that are known to work together?  Thanks.
0
David Haycox
Asked:
David Haycox
  • 3
  • 3
1 Solution
 
RafaelCommented:
The error code looks like a mis-match between Phase 1 and Phase 2. You may have one of the ends reversed.

I would first debug and look at getting Phase 1 working first.

Do you have the IP's in the object groups and ACL's ?
0
 
David HaycoxAuthor Commented:
Yes, that makes sense - but with the interfaces being different at each end it's tricky to spot the problem.

Can you be more specific on how to debug phase 1 please?

IPs are indeed in object groups and ACLs as detailed in the link above - the wizard takes care of that for you I think.
0
 
Pete LongConsultantCommented:
Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

make sure this is on

draytek
My notes from last time I did a Draytek to Cisco VPN

Vigor Draytek Site to Site VPN


1. VPN and Remote Access > IPSec General Setup > Enter then re-enter the Pre Shared Key
2. VPN and Remote Access > LAN to LAN > Double Click the first free entry
3. Set a Profile Name > Enable this profile > Tick Always On
4. Dial Out settings > IPSec tunnel > In server IP host name enter the IP of the other end
5. Select IKE Pre Shared key and enter the shared secret
6. Select High ESP > Advanced button > Enable PFS > OK
7. Change High ESP to 3DES with authentication
8. Enter MY WAN IP > Remote Gateway IP > Remote Network IP and Mask
9. OK
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Pete LongConsultantCommented:
Check the Diffie-Hellman group you have configured, to ensure both ends match.

Pete
0
 
David HaycoxAuthor Commented:
That's pretty much how I have it already, will double-check though.  What about the Cisco end?  Thanks.
0
 
David HaycoxAuthor Commented:
Got it working thanks to your excellent advice!

I didn't need to put the pre-shared key in IPSEC General setup (have never needed it before, I thought that was just for remote dial-in users, not site to site VPNs) but I didn't have Remote Gateway IP set (have never needed it before, got several Draytek-Draytek VPNs working fine without this - but it makes sense it should be there).

The Cisco end was pretty much just following the site-site VPN wizard on defaults.  I did have to fiddle about a bit to make the Draytek dial-out properly - possibly setting PFS to group 5 on the Cisco end - but it's working an absolute treat now.  Many thanks!
0
 
Pete LongConsultantCommented:
Nice One, Glad I could be some help. ThanQ
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now