Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA Lan to Lan VPN with Draytek 2930

Hi,


I've recently installed a Cisco ASA with a NAT'd configuration, I'm in the final stages and would like to configure a lan to lan VPN to a Draytek box and that unfortunately isn't going well and having spent almost two days on it am starting to wonder if it will actually work. I can get it to connect but no data seems to be transmitted between the two.


Site A on the range 10.0.0.0 has the ASA and Site B is on the 192.168.16.0 and is a Draytek 2930.


Below is the ASA config created with the lan to lan wizard:

route outside 0.0.0.0 0.0.0.0 193.164.x
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 176.35.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 176.35.x
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal 3DES
crypto map outside_map interface outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 130.88.203.12 source outside prefer
webvpn
group-policy GroupPolicy_176.35.x internal
group-policy GroupPolicy_176.35.x attributes
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 176.35.x type ipsec-l2l
tunnel-group 176.35.x general-attributes
 default-group-policy GroupPolicy_176.35.x
tunnel-group 176.35.x ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

The 2960 is set to 3DES with Authentication.


What the stats says is below, so there is obviously an error somewhere.



      access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.16.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/

0)

      remote ident (addr/mask/prot/port): (192.168.16.0/255.255.255.

0/0/0)

      current_peer: 176.35.112.38


      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

      #pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 24


Here is the debug log, doesn't look like anything obvious there?

IPSEC: New embryonic SA created @ 0x748f8a30,
    SCB: 0x72FD2F28,
    Direction: inbound
    SPI      : 0x13A56ABA
    Session ID: 0x0006E000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x748b6de0,
    SCB: 0x746FD8E8,
    Direction: outbound
    SPI      : 0x678FA4E0
    Session ID: 0x0006E000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x678FA4E0
IPSEC: Creating outbound VPN context, SPI 0x678FA4E0
    Flags: 0x00000005
    SA   : 0x748b6de0
    SPI  : 0x678FA4E0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x5FA611AF
    Channel: 0x6deb45c0
IPSEC: Completed outbound VPN context, SPI 0x678FA4E0
    VPN handle: 0x0009a664
IPSEC: New outbound encrypt rule, SPI 0x678FA4E0
    Src addr: 10.0.0.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.16.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x678FA4E0
    Rule ID: 0x746ffec0
IPSEC: New outbound permit rule, SPI 0x678FA4E0
    Src addr: 193.164.206.198
    Src mask: 255.255.255.255
    Dst addr: 176.35.112.38
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x678FA4E0
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x678FA4E0
    Rule ID: 0x7374bbe0
IPSEC: Completed host IBSA update, SPI 0x13A56ABA
IPSEC: Creating inbound VPN context, SPI 0x13A56ABA
    Flags: 0x00000006
    SA   : 0x748f8a30
    SPI  : 0x13A56ABA
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0009A664
    SCB  : 0x5FA5C58F
    Channel: 0x6deb45c0
IPSEC: Completed inbound VPN context, SPI 0x13A56ABA
    VPN handle: 0x0009d7c4
IPSEC: Updating outbound VPN context 0x0009A664, SPI 0x678FA4E0
    Flags: 0x00000005
    SA   : 0x748b6de0
    SPI  : 0x678FA4E0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x0009D7C4
    SCB  : 0x5FA611AF
    Channel: 0x6deb45c0
IPSEC: Completed outbound VPN context, SPI 0x678FA4E0
    VPN handle: 0x0009a664
IPSEC: Completed outbound inner rule, SPI 0x678FA4E0
    Rule ID: 0x746ffec0
IPSEC: Completed outbound outer SPD rule, SPI 0x678FA4E0
    Rule ID: 0x7374bbe0
IPSEC: New inbound tunnel flow rule, SPI 0x13A56ABA
    Src addr: 192.168.16.0
    Src mask: 255.255.255.0
    Dst addr: 10.0.0.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x13A56ABA
    Rule ID: 0x7489e718
IPSEC: New inbound decrypt rule, SPI 0x13A56ABA
    Src addr: 176.35.112.38
    Src mask: 255.255.255.255
    Dst addr: 193.164.206.198
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x13A56ABA
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x13A56ABA
    Rule ID: 0x748f6a78
IPSEC: New inbound permit rule, SPI 0x13A56ABA
    Src addr: 176.35.x
    Src mask: 255.255.255.255
    Dst addr: 193.164.x
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x13A56ABA
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x13A56ABA
    Rule ID: 0x748f6b10 

Do I need to add a route for 192.168.16.0 ?


Any help would be greatly appreciated.


Thanks,

                          
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:


Everyone's tags (4)
1 REPLY
New Member

Cisco ASA Lan to Lan VPN with Draytek 2930

Hey Dominic,

Good news is that Draytek 2820, 2830's etc to Cisco ASA does work!!!  I have about 15 of them connecting to a ASA 5510.

Sad news is that I am a GUI person so I am not sure what config to send you

I would be happy to share the configs... let me know if you were successful.

3187
Views
0
Helpful
1
Replies
CreatePlease login to create content