Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1372
Views
0
Helpful
3
Replies

VPN between Draytek and Cisco877

trietgiang
Level 1
Level 1

‎02-10-2008 08:49 PM

Hi everyone,

I am trying to make a site-to-site VPN between our office and the boss' home. They both have ADSL with dynamic IP addresses. The office uses Cisco 877w router. At home is the Draytek 2800.

Has anyone had experience with these devices? I don't know if VPN between them is possible as they are all dynamic IPs. We use a DynDNS on the Cisco side, and set the Draytek to use URL to work out the IP. Could someone please let me know how to setup in the Cisco end? We have the Cisco setup for remote login only. I am thinking of Easy VPN.

Also at the Draytek end, we will put in a VoIP handset to connect back to the server in the office. The VPN should be always on because the handset will look for a DHCP server.

I attached the Cisco config. Thank you very much for all comments.

Triet

Labels:
Preview file
11 KB
0 Helpful
3 Replies 3

manufc
Level 1
Level 1

‎02-11-2008 12:55 AM

Hi,

Here's my observations;

Your dialer interface would be better off configured with a static IP address, it's cleaner and easier, don't rely on DNS and you know what the IP is for troubleshooting and SSH access.

You have ip http server enabled but not secure http server, this should be the other way around, better still, disable http and https for enhanced security, do you really need this?

It doesn't look like your crypto map has interesting traffic matched by an ACL.

Have you ran some debug crypto commands to see where the error might be? Does IKE phase 1 negotiate?

Can you paste a sho ip route?

I hope this helps,

Cheers

0 Helpful

trietgiang
Level 1
Level 1
In response to manufc

‎02-11-2008 07:24 PM

Thank you for your reply.

I can't have a static IP on the dialer interface at the moment. I turned off HTTP server and turn on HTTPS.

Here is the show ip route:

172.18.0.0/32 is subnetted, 1 subnets

C 172.18.112.99 is directly connected, Dialer0

10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

S 10.1.2.1/32 [1/0] via 121.219.44.67

S 10.1.2.3/32 [1/0] via 121.219.54.254

C 10.1.1.0/24 is directly connected, BVI1

S 10.1.2.2/32 [1/0] via 58.171.208.238

S 10.1.2.4/32 [1/0] via 121.219.54.254

124.0.0.0/32 is subnetted, 1 subnets

C 124.180.YYY.XXX is directly connected, Dialer0

S* 0.0.0.0/0 is directly connected, Dialer0

124.180.YYY.XXX is our current WAN IP. The 10.1.2.x subnet is for remote login.

Best regards,

Triet

0 Helpful

manufc
Level 1
Level 1
In response to trietgiang

‎02-12-2008 12:28 AM

Hi,

It looks like you need more config under the crypto map, here's an example;

crypto map

description

set peer

set transform-set

match address

...otherwise I don't see how the interesting traffic is going to get encrypted.

Also, how does the cisco box know where the tunnel end point is on the draytek, static's are the best way forward.

You are/will need to be aware of the order of IP forwarding operation, see this link;

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

For testing this run;

debug crypto isa

debug crypto ipsec

Cheers

0 Helpful
Customers Also Viewed These Support Documents