VPN between Draytek and Cisco877

Unanswered Question
Feb 10th, 2008

Hi everyone,

I am trying to make a site-to-site VPN between our office and the boss' home. They both have ADSL with dynamic IP addresses. The office uses Cisco 877w router. At home is the Draytek 2800.

Has anyone had experience with these devices? I don't know if VPN between them is possible as they are all dynamic IPs. We use a DynDNS on the Cisco side, and set the Draytek to use URL to work out the IP. Could someone please let me know how to setup in the Cisco end? We have the Cisco setup for remote login only. I am thinking of Easy VPN.

Also at the Draytek end, we will put in a VoIP handset to connect back to the server in the office. The VPN should be always on because the handset will look for a DHCP server.

I attached the Cisco config. Thank you very much for all comments.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
manufc Mon, 02/11/2008 - 00:55


Here's my observations;

Your dialer interface would be better off configured with a static IP address, it's cleaner and easier, don't rely on DNS and you know what the IP is for troubleshooting and SSH access.

You have ip http server enabled but not secure http server, this should be the other way around, better still, disable http and https for enhanced security, do you really need this?

It doesn't look like your crypto map has interesting traffic matched by an ACL.

Have you ran some debug crypto commands to see where the error might be? Does IKE phase 1 negotiate?

Can you paste a sho ip route?

I hope this helps,


trietgiang Mon, 02/11/2008 - 19:24

Thank you for your reply.

I can't have a static IP on the dialer interface at the moment. I turned off HTTP server and turn on HTTPS.

Here is the show ip route: is subnetted, 1 subnets

C is directly connected, Dialer0 is variably subnetted, 5 subnets, 2 masks

S [1/0] via

S [1/0] via

C is directly connected, BVI1

S [1/0] via

S [1/0] via is subnetted, 1 subnets

C 124.180.YYY.XXX is directly connected, Dialer0

S* is directly connected, Dialer0

124.180.YYY.XXX is our current WAN IP. The 10.1.2.x subnet is for remote login.

Best regards,


manufc Tue, 02/12/2008 - 00:28


It looks like you need more config under the crypto map, here's an example;

crypto map


set peer

set transform-set

match address

...otherwise I don't see how the interesting traffic is going to get encrypted.

Also, how does the cisco box know where the tunnel end point is on the draytek, static's are the best way forward.

You are/will need to be aware of the order of IP forwarding operation, see this link;


For testing this run;

debug crypto isa

debug crypto ipsec



This Discussion