I am trying to connect my 2820n to a Cisco PIX 515E using a IPSec LAN to LAN VPN. I am running into a very strange problem that I think might be a bug in the Draytek firmware.

The issue is that the tunnel is established fine but only the subnet entered on the "Remote Network IP" field (VPN and Remote Access >> LAN to LAN, section 4) is reachable. None of the ones in the "More" page work. I can prove that this is true by swapping them around, dropping the connection and reconnecting. In each case, only the subnet entered on the "Remote Network IP" field is reachable.

Here is the access list configuration on the PIX:

Code:

access-list inside_1_cryptomap extended permit ip 10.10.204.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_1_cryptomap extended permit ip 10.10.205.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_1_cryptomap extended permit ip 10.10.206.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

Here is the routing table on the 2820n:

Code:

> ip route status Codes: C - connected, S - static, R - RIP, * - default, ~ - private *             0.0.0.0/         0.0.0.0 via 89.145.254.70, IF3 S~        10.10.204.0/   255.255.255.0 via 200.124.127.254, IF8 S~        10.10.205.0/   255.255.255.0 via 200.124.127.254, IF8 S~        10.10.206.0/   255.255.255.0 via 200.124.127.254, IF8 *       89.145.254.70/ 255.255.255.255 via 89.145.254.70, IF3 S       95.172.233.97/ 255.255.255.255 via 95.172.233.97, IF3 C~        192.168.2.0/   255.255.255.0 is directly connected, IF0 S~      192.168.200.0/   255.255.255.0 via 200.124.127.254, IF8

They appear to be sorted in numerical order. This looks fine to me. But it exhibits the symtoms I describe above - only the network in the "Remote Network IP" field is reachable.

This looks to me like a GUI bug but maybe I misunderstand how to use it. Am I doing something wrong?

Alternatively, should I be configuring this from the command line instead?

Thanks

You should check the routing tables on the cisco as well, traffic would need a return path to be able to route correctly.

You could also potentially enable RIP on both devices so that the routes are configured automatically.

I don't think that's it. The routes are correct on both sides.

I can prove that the problem is in the DrayTek router by moving the networks around in the UI. Only the one in "Remote Network IP" is reachable, regardless of what the route table says. This seems like a bug.

I would report it to the support team then, although you should make sure that any subnets running at the cisco end are also added to the 'more' section of the VPN profile.

Finally, update the firmware on the draytek just in case its a bug which has already been addressed.

All subnets match on both sides of the connection. I am running the latest firmware.

I will report this.

You could also potentially enable RIP on both devices so that the routes are configured automatically.