02-10-2008 08:49 PM
Hi everyone,
I am trying to make a site-to-site VPN between our office and the boss' home. They both have ADSL with dynamic IP addresses. The office uses Cisco 877w router. At home is the Draytek 2800.
Has anyone had experience with these devices? I don't know if VPN between them is possible as they are all dynamic IPs. We use a DynDNS on the Cisco side, and set the Draytek to use URL to work out the IP. Could someone please let me know how to setup in the Cisco end? We have the Cisco setup for remote login only. I am thinking of Easy VPN.
Also at the Draytek end, we will put in a VoIP handset to connect back to the server in the office. The VPN should be always on because the handset will look for a DHCP server.
I attached the Cisco config. Thank you very much for all comments.
Triet
02-11-2008 12:55 AM
Hi,
Here's my observations;
Your dialer interface would be better off configured with a static IP address, it's cleaner and easier, don't rely on DNS and you know what the IP is for troubleshooting and SSH access.
You have ip http server enabled but not secure http server, this should be the other way around, better still, disable http and https for enhanced security, do you really need this?
It doesn't look like your crypto map has interesting traffic matched by an ACL.
Have you ran some debug crypto commands to see where the error might be? Does IKE phase 1 negotiate?
Can you paste a sho ip route?
I hope this helps,
Cheers
02-11-2008 07:24 PM
Thank you for your reply.
I can't have a static IP on the dialer interface at the moment. I turned off HTTP server and turn on HTTPS.
Here is the show ip route:
172.18.0.0/32 is subnetted, 1 subnets
C 172.18.112.99 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
S 10.1.2.1/32 [1/0] via 121.219.44.67
S 10.1.2.3/32 [1/0] via 121.219.54.254
C 10.1.1.0/24 is directly connected, BVI1
S 10.1.2.2/32 [1/0] via 58.171.208.238
S 10.1.2.4/32 [1/0] via 121.219.54.254
124.0.0.0/32 is subnetted, 1 subnets
C 124.180.YYY.XXX is directly connected, Dialer0
S* 0.0.0.0/0 is directly connected, Dialer0
124.180.YYY.XXX is our current WAN IP. The 10.1.2.x subnet is for remote login.
Best regards,
Triet
02-12-2008 12:28 AM
Hi,
It looks like you need more config under the crypto map, here's an example;
crypto map
description
set peer
set transform-set
match address
...otherwise I don't see how the interesting traffic is going to get encrypted.
Also, how does the cisco box know where the tunnel end point is on the draytek, static's are the best way forward.
You are/will need to be aware of the order of IP forwarding operation, see this link;
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
For testing this run;
debug crypto isa
debug crypto ipsec
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide